Michael Werle created NIFI-5253:
-----------------------------------
Summary: GenerateTableFetch and QueryDatabaseTable use un-escaped
string literals
Key: NIFI-5253
URL: https://issues.apache.org/jira/browse/NIFI-5253
Project: Apache NiFi
Issue Type: Bug
Affects Versions: 1.6.0
Reporter: Michael Werle
{{org.apache.nifi.processors.standard.AbstractDatabaseFetchProcessor#getLiteralByType}}
uses un-escaped values from the database as string literals in later
statements:
{code:java}
protected static String getLiteralByType(int type, String value, String
databaseType) {
// Format value based on column type. For example, strings and timestamps
need to be quoted
switch (type) {
// For string-represented values, put in single quotes
case CHAR:
case LONGNVARCHAR:
case LONGVARCHAR:
case NCHAR:
case NVARCHAR:
case VARCHAR:
case ROWID:
case DATE:
case TIME:
return "'" + value + "'";
...{code}
The value is the last computed maximum value; it is stored in the state manager
un-escaped. Granted, this is only used for maximum value columns, but it will
blow up on anything with a single-quote in it, and presents a really good
opportunity for attackers who can manipulate any of these columns. Ideally,
this method should be removed entirely and the code using it refactored to use
standard JDBC variable binding. In the short run, using
{{org.apache.commons.lang.StringEscapeUtils#escapeSql}} or simply replacing all
instances of a single quote with two single quotes (the SQL escape mechanism)
might help; I don't remember if doing so is safe or not.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
