[jira] [Resolved] (OAK-320) Query: ability to disable/enable literals in queries to protect against code injection

Wed, 05 Dec 2012 08:22:49 -0800 

     [ 
https://issues.apache.org/jira/browse/OAK-320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Thomas Mueller resolved OAK-320.
--------------------------------

    Resolution: Fixed

The ability to log queries with literals should simplify detecting code 
injection problems in the code.
                
> Query: ability to disable/enable literals in queries to protect against code 
> injection
> --------------------------------------------------------------------------------------
>
>                 Key: OAK-320
>                 URL: https://issues.apache.org/jira/browse/OAK-320
>             Project: Jackrabbit Oak
>          Issue Type: Improvement
>          Components: core, jcr
>            Reporter: Thomas Mueller
>            Assignee: Thomas Mueller
>            Priority: Minor
>
> For security reasons, literals should not be used in queries, because it is 
> easy to forget correctly quoting. This is specially risky for admin sessions. 
> Example:
> {noformat}
> qm.createQuery("select user from [acme:user] where " + 
>     "name = '" + userName + "' and " + 
>     "password = '" + password + "'", Query.JCR_SQL2);
> {noformat}
> Most developers know they are supposed to use bind variables, but history has 
> shown that still even experienced developers (for whatever reasons) don't do 
> it sometimes. Fortunately the JCR API does not provide ways to manipulate 
> data within a query, however there is still a risk, specially for admin 
> sessions.
> A simple way to find out whether bind variables are used throughout the code 
> is to disable literals in queries (so that if a literal is used within a 
> query, the query will fail to parse). This feature could be used in unit 
> tests only, or additionally in production, or just for some session (for 
> example only admin session). 
> The query parser already supports disabling literals, but there is currently 
> no way to switch it on. There are multiple ways we could use to enable this 
> switch: for example, literals are always disabled just for admin sessions. Or 
> literals are always disabled for all sessions except if the session was 
> opened with literals explicitly enabled:
> {noformat}
> SimpleCredentials c = new SimpleCredentials(user, password);
> c.setAttribute("queryLiterals", "true");
> return getRepository().login(c);
> {noformat}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to