Re: Review Request 50616: Coverity Scan Security Vulnerability - SQL injection

Sumit Mohanty Mon, 01 Aug 2016 09:30:48 -0700

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/50616/#review144346
-----------------------------------------------------------



Ship it!




Ship It!

- Sumit Mohanty


On July 29, 2016, 9:19 p.m., Robert Levas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/50616/
> -----------------------------------------------------------
> 
> (Updated July 29, 2016, 9:19 p.m.)
> 
> 
> Review request for Ambari, Mahadev Konar, Sumit Mohanty, and Yusaku Sako.
> 
> 
> Bugs: AMBARI-17962
>     https://issues.apache.org/jira/browse/AMBARI-17962
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> The Ambari coverity scan found two "High impact security" issues, both SQL 
> Injections.  They are both the same coding issue, but one is in 
> OracleConnector.java, and one is in the analogous method in 
> PostgresConnector.java.
> 
> This is the key description:
> ```
> CID 167755 (#1 of 1): SQL injection (SQLI)9. sql_taint: Insecure 
> concatenation of a SQL statement. The value searchClause is tainted.
> 
> Perform one of the following to guard against SQL injection attacks.
> * Parameterize the SQL statement using ? positional characters. Bind the 
> tainted values to the ? positional parameters using one of the 
> PreparedStatement.set* methods.
> * Validate user-supplied values against predefined constant values. 
> Concatenate these constant values into the SQL statement.
> * Cast tainted values to safe types such as integers. Concatenate these type 
> safe values into the statement.
> 
> [More 
> Information|https://scan3.coverity.com/doc/en/cov_checker_ref.html#id_sql_generic]
> ```
> 
> This is the one in OracleConnector.java, lines 32 -55:
> 
> ```
> 32  @Override
>   8. taint_path_param: Parameter searchClause receives the tainted data.
> 33  protected PreparedStatement getQualifiedPS(Statements statement, String 
> searchClause, Workflows.WorkflowDBEntry.WorkflowFields field, boolean 
> sortAscending, int offset, int limit) throws IOException {
> 34    if (db == null)
> 35      throw new IOException("db not initialized");
> 36
> 37    String order = " ORDER BY " + field.toString() + " " + (sortAscending ? 
> SORT_ASC : SORT_DESC);
> 38
> 39    String query = "select * \n" +
> 40        "  from ( select " +
> 41//        "/*+ FIRST_ROWS(n) */ \n" +
> 42        "  a.*, ROWNUM rnum \n" +
> 43        "      from ("
>   CID 167755 (#1 of 1): SQL injection (SQLI)9. sql_taint: Insecure 
> concatenation of a SQL statement. The value searchClause is tainted.
>   Perform one of the following to guard against SQL injection attacks.
> 
>     Parameterize the SQL statement using ? positional characters. Bind the 
> tainted values to the ? positional parameters using one of the 
> PreparedStatement.set* methods.
>     Validate user-supplied values against predefined constant values. 
> Concatenate these constant values into the SQL statement.
>     Cast tainted values to safe types such as integers. Concatenate these 
> type safe values into the statement.
> 
> More Information
> 44        + statement.getStatementString() + searchClause + order +
> 45        ") a \n" +
> 46        "      where ROWNUM <= " + (offset + limit) + ") \n" +
> 47        "where rnum  >= " + offset;
> 48
> 49    try {
>   10. sql_sink: Passing the tainted value query to the SQL API 
> java.sql.Connection.prepareStatement(java.lang.String) may allow an attacker 
> to inject SQL.
> 50      return db.prepareStatement(query);
> 51    } catch (SQLException e) {
> 52      throw new IOException(e);
> 53    }
> 54
> 55  }
> ```
> This is the one in PostgresConnector.java, lines 495-504:
> 
> ``` 
>    8. taint_path_param: Parameter searchClause receives the tainted data.
> 495  protected PreparedStatement getQualifiedPS(Statements statement, String 
> searchClause) throws IOException {
> 496    if (db == null)
> 497      throw new IOException("postgres db not initialized");
> 498    try {
> 499      // LOG.debug("preparing " + statement.getStatementString() + 
> searchClause);
>    CID 167743 (#1 of 1): SQL injection (SQLI)9. sql_taint: Insecure 
> concatenation of a SQL statement. The value searchClause is tainted. Passing 
> the tainted command to the SQL API 
> java.sql.Connection.prepareStatement(java.lang.String) may allow an attacker 
> to inject SQL.
>    Perform one of the following to guard against SQL injection attacks.
> 
>     Parameterize the SQL statement using ? positional characters. Bind the 
> tainted values to the ? positional parameters using one of the 
> PreparedStatement.set* methods.
>     Validate user-supplied values against predefined constant values. 
> Concatenate these constant values into the SQL statement.
>     Cast tainted values to safe types such as integers. Concatenate these 
> type safe values into the statement.
> 
> More Information
> 500      return db.prepareStatement(statement.getStatementString() + 
> searchClause);
> 501    } catch (SQLException e) {
> 502      throw new IOException(e);
> 503    }
> 504  }
> ```
> 
> #Solution
> Remove code supporting an unsupported REST API call to obtain jobtracker 
> information.  his entry point is handled by 
> {{org.apache.ambari.eventdb.webservice.WorkflowJsonService}}.  By removing 
> this class and cleaning up orphaned code, the SQL injection issue list above 
> will be solved.
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/java/org/apache/ambari/eventdb/db/DBConnector.java 
> b859114 
>   
> ambari-server/src/main/java/org/apache/ambari/eventdb/db/MySQLConnector.java 
> c59b800 
>   
> ambari-server/src/main/java/org/apache/ambari/eventdb/db/OracleConnector.java 
> 92a5763 
>   
> ambari-server/src/main/java/org/apache/ambari/eventdb/db/PostgresConnector.java
>  421d001 
>   ambari-server/src/main/java/org/apache/ambari/eventdb/model/DataTable.java 
> 4fcac8e 
>   ambari-server/src/main/java/org/apache/ambari/eventdb/model/Jobs.java 
> 75fd3ca 
>   
> ambari-server/src/main/java/org/apache/ambari/eventdb/model/TaskAttempt.java 
> 526d63d 
>   ambari-server/src/main/java/org/apache/ambari/eventdb/model/TaskData.java 
> 37007df 
>   
> ambari-server/src/main/java/org/apache/ambari/eventdb/model/TaskLocalityData.java
>  e50a1a0 
>   
> ambari-server/src/main/java/org/apache/ambari/eventdb/model/WorkflowContext.java
>  c2b0468 
>   
> ambari-server/src/main/java/org/apache/ambari/eventdb/model/WorkflowDag.java 
> 07056bf 
>   ambari-server/src/main/java/org/apache/ambari/eventdb/model/Workflows.java 
> 541ce79 
>   
> ambari-server/src/main/java/org/apache/ambari/eventdb/webservice/JAXBContextResolver.java
>  974155c 
>   
> ambari-server/src/main/java/org/apache/ambari/eventdb/webservice/WorkflowJsonService.java
>  3ef56ab 
>   
> ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
>  5d0bb18 
> 
> Diff: https://reviews.apache.org/r/50616/diff/
> 
> 
> Testing
> -------
> 
> # Local test results: 
> [INFO] 
> ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] 
> ------------------------------------------------------------------------
> [INFO] Total time: 1:11:45.717s
> [INFO] Finished at: Fri Jul 29 15:04:53 EDT 2016
> [INFO] Final Memory: 61M/1865M
> [INFO] 
> ------------------------------------------------------------------------
> 
> # Jekins test results: PENDING
> 
> 
> Thanks,
> 
> Robert Levas
> 
>

Re: Review Request 50616: Coverity Scan Security Vulnerability - SQL injection

Reply via email to