Uploaded image for project: 'Oozie'
  1. Oozie
  2. OOZIE-2362

SQL injection in BulkJPAExecutor

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 4.2.0
    • Fix Version/s: 4.3.0
    • Component/s: core, security
    • Labels:

      Description

      In method inClause of org.apache.oozie.executor.jpa.BulkJPAExecutor there is a poosibility for SQL injection (https://www.owasp.org/index.php/SQL_injection) : there is no validation of content of string name before it's included in sql script, opening a possibility for a malicious user to inject sql commands.
      A simple validation of strings using .matches(...) would fix problem.

        Attachments

        1. OOZIE-2362-002.patch
          10 kB
          Peter Bacsko
        2. OOZIE-2362-001.patch
          10 kB
          Peter Bacsko
        3. 0001-OOZIE-2362-SQL-injection-in-BulkJPAExecutor.patch
          2 kB
          thierry accart

          Activity

            People

            • Assignee:
              pbacsko Peter Bacsko
              Reporter:
              taccart thierry accart
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: