[OLINGO-702] SQL Injection - Not validating 1=1 in filter query - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Not A Problem
Affects Version/s: None
Fix Version/s: None
Component/s: odata2-core, odata4-server
Labels:
- filter

Flags:

Important

Description

I am trying to make a request with the following filter query option in the URI :

http://host:8080/odata/odata.svc/Employees?$filter = Id eq 9000 or 1 eq 1

Above request is giving all the entities ( employees details ) but olingo need to reject this as it includes 1 eq 1.

Following is my perception . Please correct me if i am wrong in any way :

Whenever request URI includes filter query option , Olingo validates the filter expression . While validating the filter query, it is checking the data type of values . i.e in the above case , 9000 is the value for the property "Id". But if the left side operand is a literal, it should reject but failing to do so.

What i am thinking here is that - Olingo should reject the request if the left side operand is a literal and not the valid property name.

Attachments

Activity

People

Assignee:: Christian Amend

Reporter:: Prashanth

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 16/Jun/15 13:34

Updated:: 21/Sep/15 13:33

Resolved:: 16/Jun/15 15:16