[SENTRY-1476] SentryStore is subject to JDQL injection - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.7.0, 2.0.0
Fix Version/s: 1.8.0, 2.0.0
Component/s: Core
Labels:
None

Description

SentryStore.java has a bunch of places where the query is constructed by concatenating strings rather than using JDQL parameters. This is subject to JDQL injection since some of the parameters come from Thrift.

All strings from Thrift should be passed as parameters, not as string concatenation.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

SENTRY-1476.003.patch
15/Dec/16 00:28
46 kB
Alex Kolbasov
SENTRY-1476.002.patch
15/Dec/16 00:21
46 kB
Alex Kolbasov
SENTRY-1476.001.patch
06/Dec/16 05:28
46 kB
Alex Kolbasov

Issue Links

blocks

SENTRY-872 Uber jira for HMS HA + Sentry HA redesign

Resolved

is related to

SENTRY-1609 DelegateSentryStore is subject to JDQL injection

Resolved

SENTRY-1625 PrivilegeOperatePersistence can use QueryParamBuilder

Resolved

SENTRY-1557 getRolesForGroups() does too many trips to the the DB

Resolved

links to

Code Review

Activity

People

Assignee:: Alex Kolbasov

Reporter:: Alex Kolbasov

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 21/Sep/16 05:04

Updated:: 24/Jul/17 15:37

Resolved:: 15/Dec/16 02:21