Uploaded image for project: 'Apache Drill'
  1. Apache Drill
  2. DRILL-6215

Use prepared statement instead of Statement in JdbcRecordReader class

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.12.0
    • Fix Version/s: 1.18.0
    • Component/s: Storage - JDBC
    • Labels:
      None

      Description

      Use prepared statement instead of Statement in JdbcRecordReader class, which is more efficient and less vulnerable to SQL injection attacks.

      Apache Drill 1.13.0-SNAPSHOT, commit : 9073aed67d89e8b2188870d6c812706085c9c41b

      Findbugs reports the below bug and suggests that we use prepared statement instead of Statement.

      In class org.apache.drill.exec.store.jdbc.JdbcRecordReader
      In method org.apache.drill.exec.store.jdbc.JdbcRecordReader.setup(OperatorContext, OutputMutator)
      At JdbcRecordReader.java:[line 170]
      org.apache.drill.exec.store.jdbc.JdbcRecordReader.setup(OperatorContext, OutputMutator) passes a nonconstant String to an execute method on an SQL statement
      
      The method invokes the execute method on an SQL statement with a String that seems to be dynamically generated. 
      Consider using a prepared statement instead. 
      It is more efficient and less vulnerable to SQL injection attacks.
      
      

      LOC - https://github.com/apache/drill/blob/a9ea4ec1c5645ddab4b7aef9ac060ff5f109b696/contrib/storage-jdbc/src/main/java/org/apache/drill/exec/store/jdbc/JdbcRecordReader.java#L170

      To run with findbugs:
      mvn clean install -Pfindbugs -DskipTests
      
      Findbugs will wirite the output to finbugsXml.html in the target directory of each module. 
      For example the java-exec module report is located at: ./exec/java-exec/target/findbugs/findbugsXml.html
      Use 
      find . -name "findbugsXml.html"
      to locate the files.
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                ihuzenko Igor Guzenko
                Reporter:
                khfaraaz Khurram Faraaz
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: