[
https://issues.apache.org/jira/browse/OAK-320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Thomas Mueller updated OAK-320:
-------------------------------
Description:
For security reasons, literals should not be used in queries, because it is
easy to forget correctly quoting. This is specially risky for admin sessions.
Example:
{noformat}
qm.createQuery("select user from [acme:user] where " +
"name = '" + userName + "' and " +
"password = '" + password + "'", Query.JCR_SQL2);
{noformat}
Most developers know they are supposed to use bind variables, but history has
shown that still even experienced developers (for whatever reasons) don't do it
sometimes. Fortunately the JCR API does not provide ways to manipulate data
within a query, however there is still a risk, specially for admin sessions.
A simple way to find out whether bind variables are used throughout the code is
to disable literals in queries (so that if a literal is used within a query,
the query will fail to parse). This feature could be used in unit tests only,
or additionally in production, or just for some session (for example only admin
session).
The query parser already supports disabling literals, but there is currently no
way to switch it on. There are multiple ways we could use to enable this
switch: for example, literals are always disabled just for admin sessions. Or
literals are always disabled for all sessions except if the session was opened
with literals explicitly enabled:
{noformat}
SimpleCredentials c = new SimpleCredentials(user, password);
c.setAttribute("queryLiterals", "true");
return getRepository().login(c);
{noformat}
was:
For security reasons, literals should not be used in queries, because it is
easy to forget correctly quoting. This is specially risky for admin sessions.
Example:
qm.createQuery("select user from [acme:user] where " +
"name = '" + userName + "' and " +
"password = '" + password + "'", Query.JCR_SQL2);
Most developers know they are supposed to use bind variables, but history has
shown that still many developers (for whatever reasons) don't do it sometimes.
Fortunately the JCR API does not provide ways to manipulate data within a
query, however there is still a risk, specially for admin sessions.
A simple way to find out whether bind variables are used throughout the code is
to disable literals in queries (so that if a literal is used within a query,
the query will fail to parse). This feature could be used in unit tests only,
or in production, or just for some session (for example only admin session).
The query parser already supports disabling literals, but there is currently no
way to enable this feature. There are multiple ways we could use to enable this
switch: for example, literals are always disabled just for admin sessions. Or
literals are always disabled for all sessions except if the session was opened
with literals explicitly enabled:
SimpleCredentials c = new SimpleCredentials(
"admin", "admin".toCharArray());
c.setAttribute("queryLiterals", "true");
return getRepository().login(c);
Summary: Query: ability to disable/enable literals in queries to
protect against code injection (was: Query: ability to disable/enable literals
in queries)
> Query: ability to disable/enable literals in queries to protect against code
> injection
> --------------------------------------------------------------------------------------
>
> Key: OAK-320
> URL: https://issues.apache.org/jira/browse/OAK-320
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: core, jcr
> Reporter: Thomas Mueller
> Assignee: Thomas Mueller
> Priority: Minor
>
> For security reasons, literals should not be used in queries, because it is
> easy to forget correctly quoting. This is specially risky for admin sessions.
> Example:
> {noformat}
> qm.createQuery("select user from [acme:user] where " +
> "name = '" + userName + "' and " +
> "password = '" + password + "'", Query.JCR_SQL2);
> {noformat}
> Most developers know they are supposed to use bind variables, but history has
> shown that still even experienced developers (for whatever reasons) don't do
> it sometimes. Fortunately the JCR API does not provide ways to manipulate
> data within a query, however there is still a risk, specially for admin
> sessions.
> A simple way to find out whether bind variables are used throughout the code
> is to disable literals in queries (so that if a literal is used within a
> query, the query will fail to parse). This feature could be used in unit
> tests only, or additionally in production, or just for some session (for
> example only admin session).
> The query parser already supports disabling literals, but there is currently
> no way to switch it on. There are multiple ways we could use to enable this
> switch: for example, literals are always disabled just for admin sessions. Or
> literals are always disabled for all sessions except if the session was
> opened with literals explicitly enabled:
> {noformat}
> SimpleCredentials c = new SimpleCredentials(user, password);
> c.setAttribute("queryLiterals", "true");
> return getRepository().login(c);
> {noformat}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
