Uploaded image for project: 'Sentry'
  1. Sentry
  2. SENTRY-1476

SentryStore is subject to JDQL injection

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.7.0, 2.0.0
    • Fix Version/s: 1.8.0, 2.0.0
    • Component/s: Core
    • Labels:
      None

      Description

      SentryStore.java has a bunch of places where the query is constructed by concatenating strings rather than using JDQL parameters. This is subject to JDQL injection since some of the parameters come from Thrift.

      All strings from Thrift should be passed as parameters, not as string concatenation.

        Attachments

        1. SENTRY-1476.003.patch
          46 kB
          Alex Kolbasov
        2. SENTRY-1476.002.patch
          46 kB
          Alex Kolbasov
        3. SENTRY-1476.001.patch
          46 kB
          Alex Kolbasov

          Issue Links

            Activity

              People

              • Assignee:
                akolb Alex Kolbasov
                Reporter:
                akolb Alex Kolbasov
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: