[OOZIE-2362] SQL injection in BulkJPAExecutor - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 4.2.0
Fix Version/s: 4.3.0
Component/s: core, security
Labels:
- patch

Description

In method inClause of org.apache.oozie.executor.jpa.BulkJPAExecutor there is a poosibility for SQL injection (https://www.owasp.org/index.php/SQL_injection) : there is no validation of content of string name before it's included in sql script, opening a possibility for a malicious user to inject sql commands.
A simple validation of strings using .matches(...) would fix problem.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

OOZIE-2362-002.patch
17/Jun/16 08:55
10 kB
Peter Bacsko
OOZIE-2362-001.patch
15/Jun/16 13:09
10 kB
Peter Bacsko
0001-OOZIE-2362-SQL-injection-in-BulkJPAExecutor.patch
15/Sep/15 14:52
2 kB
thierry accart

Activity

People

Assignee:: Peter Bacsko

Reporter:: thierry accart

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 15/Sep/15 09:05

Updated:: 02/Dec/16 21:01

Resolved:: 17/Jun/16 21:53