[OODT-927] Values passed to SQL commands should be sanitized in CAS DataSourceIngestMapper.java - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 0.12
Fix Version/s: None
Component/s: catalog
Labels:
None

Flags:

Important
Skill Level:
Don't Know (Unsure) - The default level

Description

Right now in DataSourceIngestMapper.java values passed to SQL commands are not sanitized. Applications that execute SQL commands should neutralize any externally-provided values used in those commands. Failure to do so could allow an attacker to include input that changes the query so that unintended commands are executed, or sensitive data is exposed.

This issue checks that method parameters are not used directly in non-Hibernate SQL statements, and that parameter binding, rather than concatenation is used in Hibernate statements.

Attachments

Issue Links

links to

GitHub Pull Request #39

Activity

People

Assignee:: Lewis John McGibbney

Reporter:: Lewis John McGibbney

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 26/May/16 18:36

Updated:: 21/Jun/16 09:20

Resolved:: 01/Jun/16 02:31