Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
1.12.0
-
None
Description
Use prepared statement instead of Statement in JdbcRecordReader class, which is more efficient and less vulnerable to SQL injection attacks.
Apache Drill 1.13.0-SNAPSHOT, commit : 9073aed67d89e8b2188870d6c812706085c9c41b
Findbugs reports the below bug and suggests that we use prepared statement instead of Statement.
In class org.apache.drill.exec.store.jdbc.JdbcRecordReader In method org.apache.drill.exec.store.jdbc.JdbcRecordReader.setup(OperatorContext, OutputMutator) At JdbcRecordReader.java:[line 170] org.apache.drill.exec.store.jdbc.JdbcRecordReader.setup(OperatorContext, OutputMutator) passes a nonconstant String to an execute method on an SQL statement The method invokes the execute method on an SQL statement with a String that seems to be dynamically generated. Consider using a prepared statement instead. It is more efficient and less vulnerable to SQL injection attacks.
To run with findbugs: mvn clean install -Pfindbugs -DskipTests Findbugs will wirite the output to finbugsXml.html in the target directory of each module. For example the java-exec module report is located at: ./exec/java-exec/target/findbugs/findbugsXml.html Use find . -name "findbugsXml.html" to locate the files.
Attachments
Issue Links
- relates to
-
DRILL-7406 Update Calcite to 1.21.0
-
- Resolved
-
- links to
