Details
-
Improvement
-
Status: Resolved
-
Critical
-
Resolution: Fixed
-
0.12
-
None
-
None
-
Important
-
Don't Know (Unsure) - The default level
Description
Right now in DataSourceIngestMapper.java values passed to SQL commands are not sanitized. Applications that execute SQL commands should neutralize any externally-provided values used in those commands. Failure to do so could allow an attacker to include input that changes the query so that unintended commands are executed, or sensitive data is exposed.
This issue checks that method parameters are not used directly in non-Hibernate SQL statements, and that parameter binding, rather than concatenation is used in Hibernate statements.
Attachments
Issue Links
- links to