Hi
On 26/06/13 12:08, nikosdim wrote:
Hi
I tested the code in my initial post and indeed there is no problem for SQL
injection attacks related to DROP, DELETE, UPDATE etc.
But in the type of SQL injection attack shown below
select * from table where something= 'value derived from FIQL'
If the user gives blala' or 'x' = 'x in the request
URL
then the query that we get from the visitor.getQuery(); is
select * from table where something='blala' or 'x' = 'x' which passes
successfully.
So as far as I can understand there is a vulnerability there.
Interesting. Well, that sounds like a general issue, right ? Whenever a
user submits a query of some sort and the application code builds and
SQL query (lets even not talk about a FIQL SQL handler) then there's
always a danger there that a query value may have something bad encoded
there...
Also validation in the setters cannot always work because of the nature of
the data that are stored in the database.
How do you mean ? You have "name=some bad expression", you have the
domain knowledge of what a 'name' is. There must be a way to validate
what 'name' may be, otherwise there would always be an injection issue
hanging around
I was wondering how is the sql String produced by the FIQL library? Is it by
concatinating the strings that the user passes on the URL?
No. One provides a holder, like Book.class, the parser will inject
values into it, example, if we have "name==bar" then Book.setName() will
be called and "bar" provided, the visitors then work with the getters.
I'm also updating the visitor, adding a method:
protected String validatePropertyValue(String name, String value) {
return value;
}
One would be able to override and validate not in the bean but in the
visitor itself
Thanks, Sergey
Thanks
--
View this message in context:
http://cxf.547215.n5.nabble.com/Is-FIQL-SQL-Injection-safe-tp5729800p5729865.html
Sent from the cxf-user mailing list archive at Nabble.com.
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
