[ 
https://issues.apache.org/jira/browse/KYLIN-2046?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Shaofeng SHI closed KYLIN-2046.
-------------------------------

> Potential injected SQL attack vulnerability in QueryService
> -----------------------------------------------------------
>
>                 Key: KYLIN-2046
>                 URL: https://issues.apache.org/jira/browse/KYLIN-2046
>             Project: Kylin
>          Issue Type: Bug
>            Reporter: Ted Yu
>         Attachments: mail from SourceClear.png
>
>
> {code}
>         String correctedSql = QueryUtil.massageSql(sqlRequest);
>         if (!correctedSql.equals(sqlRequest.getSql())) {
> ...
>         return execute(correctedSql, sqlRequest);
> {code}
> massageSql() uses regex to detect malformed SQL.
> However, there may be SQL injection which is not detected by massageSql().



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to