Description
SentryStore.java has a bunch of places where the query is constructed by concatenating strings rather than using JDQL parameters. This is subject to JDQL injection since some of the parameters come from Thrift.
All strings from Thrift should be passed as parameters, not as string concatenation.
Attachments
Attachments
Issue Links
- blocks
-
SENTRY-872 Uber jira for HMS HA + Sentry HA redesign
- Resolved
- is related to
-
SENTRY-1609 DelegateSentryStore is subject to JDQL injection
- Resolved
-
SENTRY-1625 PrivilegeOperatePersistence can use QueryParamBuilder
- Resolved
-
SENTRY-1557 getRolesForGroups() does too many trips to the the DB
- Resolved
- links to