Uploaded image for project: 'Apache Fineract'
  1. Apache Fineract
  2. FINERACT-854

Use prepared statements instead of string concatenated SQL everywhere

Attach filesAttach ScreenshotAdd voteVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

      Description

      The Fineract code base in many places creates SQL statements through String concatenation. This is prone to SQL injection. This is mitigated by the use of helpers utilities such as org.apache.fineract.infrastructure.core.api.ApiParameterHelper.sqlEncodeString(String) and org.apache.fineract.infrastructure.security.utils.SQLInjectionValidator.validateSQLInput(String) but I opine that those are workarounds... the better solution, both for security and likely also helping with performance (at least a little bit, knowing how much would require measuring it...), would be to use JDBC prepared statements with '?' placeholders and passing all raw arguments, instead of embedding them in the query String.

      FINERACT-808 root cause analysis brought this up, and I'm about to raise a PR for FINERACT-808 which makes a start; the goal of this issue is to use the new org.apache.fineract.infrastructure.security.utils.SQLBuilder everywhere, and eventually be able to get completely rid of ApiParameterHelper and SQLInjectionValidator.

      This issue should also include work to scan the code base for places where SQL Strings are concatenated without even using the existing helpers. FINERACT-853 could potentially help with that.

        Attachments

        Issue Links

          Activity

            People

            • Assignee:
              josemakara Joseph Makara
              Reporter:
              vorburger Michael Vorburger

              Dates

              • Created:
                Updated:

                Issue deployment