Uploaded image for project: 'Oozie'
  1. Oozie
  2. OOZIE-2362

SQL injection in BulkJPAExecutor

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • 4.2.0
    • 4.3.0
    • core, security

    Description

      In method inClause of org.apache.oozie.executor.jpa.BulkJPAExecutor there is a poosibility for SQL injection (https://www.owasp.org/index.php/SQL_injection) : there is no validation of content of string name before it's included in sql script, opening a possibility for a malicious user to inject sql commands.
      A simple validation of strings using .matches(...) would fix problem.

      Attachments

        1. OOZIE-2362-002.patch
          10 kB
          Peter Bacsko
        2. OOZIE-2362-001.patch
          10 kB
          Peter Bacsko
        3. 0001-OOZIE-2362-SQL-injection-in-BulkJPAExecutor.patch
          2 kB
          thierry accart

        Activity

          People

            pbacsko Peter Bacsko
            taccart thierry accart
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: