Alexander Kolbasov created SENTRY-1476:
------------------------------------------
Summary: SentryStore is subject to JDQL injection
Key: SENTRY-1476
URL: https://issues.apache.org/jira/browse/SENTRY-1476
Project: Sentry
Issue Type: Bug
Components: Core
Affects Versions: 1.7.0, sentry-ha-redesign
Reporter: Alexander Kolbasov
SentryStore.java has a bunch of places where the query is constructed by
concatenating strings rather than using JDQL parameters. This is subject to
JDQL injection since some of the parameters come from Thrift.
All strings from Thrift should be passed as parameters, not as string
concatenation.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
