[PHOENIX-3613] Avoid possible SQL Injection with proper input validations - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 4.10.0, 4.8.2
Component/s: None
Labels:
None

Description

There are possible SQL injections :

Issue 1 :
Overview : On line 139 of PhoenixUtil.java, the method executeStatementThrowException() invokes a SQL query built using input coming from an untrusted source. This call could allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.

Comment : As the source SQL query can have IN clause in SQL statement, please use this link to fix http://stackoverflow.com/questions/3107044/preparedstatement-with-list-of-parameters-in-a-in-clause

Issue 2 :
Overview : On line 60 of EntityFactory.java, the method findMultiple() invokes a SQL query built using input coming from an untrusted source. This call could allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.

Comment : Limit value can be misused as well.

Tagged : Suspicious

Overview : On line 154 of PhoenixUtil.java, the method executeStatement() invokes a SQL query built using input coming from an untrusted source. This call could allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.

Comment : Applying schema to file?

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

PHOENIX-3613.patch
20/Jan/17 15:59
4 kB
Rajeshbabu Chintaguntla

Activity

People

Assignee:: Rajeshbabu Chintaguntla

Reporter:: Rajeshbabu Chintaguntla

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 20/Jan/17 06:13

Updated:: 20/Jan/17 18:45

Resolved:: 20/Jan/17 17:35