[ 
https://issues.apache.org/jira/browse/KYLIN-2046?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15586939#comment-15586939
 ] 

liyang commented on KYLIN-2046:
-------------------------------

As mail replied from SourceClear, the real source is this JIRA.

Since no further input from Ted, I'm closing this JIRA to avoid confusion.

Be free to re-open if anyone has different opinion and like to further discuss.

> Potential injected SQL attack vulnerability in QueryService
> -----------------------------------------------------------
>
>                 Key: KYLIN-2046
>                 URL: https://issues.apache.org/jira/browse/KYLIN-2046
>             Project: Kylin
>          Issue Type: Bug
>            Reporter: Ted Yu
>         Attachments: mail from SourceClear.png
>
>
> {code}
>         String correctedSql = QueryUtil.massageSql(sqlRequest);
>         if (!correctedSql.equals(sqlRequest.getSql())) {
> ...
>         return execute(correctedSql, sqlRequest);
> {code}
> massageSql() uses regex to detect malformed SQL.
> However, there may be SQL injection which is not detected by massageSql().



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to