Uploaded image for project: 'Camel'
  1. Camel
  2. CAMEL-11625

Potential SQL injection in JdbcAggregationRepository

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: None
    • Fix Version/s: Future
    • Component/s: camel-sql
    • Labels:
      None
    • Estimated Complexity:
      Novice

      Description

      Quoting Sonar:
      "Applications that execute SQL commands should neutralize any externally-provided values used in those commands. Failure to do so could allow an attacker to include input that changes the query so that unintended commands are executed, or sensitive data is exposed."

      it is the case at 2 places:
      https://github.com/apache/camel/blame/master/components/camel-sql/src/main/java/org/apache/camel/processor/aggregate/jdbc/JdbcAggregationRepository.java#L288
      https://github.com/apache/camel/blame/master/components/camel-sql/src/main/java/org/apache/camel/processor/aggregate/jdbc/JdbcAggregationRepository.java#L357

      the only variable thing is the "repositoryName" so maybe there are some validation previously which will avoid to users to inject sql code or it is something that only the Camel developer can configure?

      even if it is the case, it might be a good idea to use some "preparedStatement" to avoid sql injection in case previous assumptions are no more true

      I reported here because I didn't see any "security" options on the Camel open source JIRA.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              apupier Aurélien Pupier

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment