camel-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Claus Ibsen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CAMEL-11625) Potential SQL injection in JdbcAggregationRepository
Date Tue, 22 Aug 2017 00:22:02 GMT

    [ https://issues.apache.org/jira/browse/CAMEL-11625?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16136078#comment-16136078
] 

Claus Ibsen commented on CAMEL-11625:
-------------------------------------

Sashca

A yeah that is correct. As this is not really a problem because configuring the table name
is part of the developer creating the application. Its not taking dynamic from some message
content or http server etc.

So lets just leave it as-is.

> Potential SQL injection in JdbcAggregationRepository
> ----------------------------------------------------
>
>                 Key: CAMEL-11625
>                 URL: https://issues.apache.org/jira/browse/CAMEL-11625
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-sql
>            Reporter: Aurélien Pupier
>             Fix For: Future
>
>
> Quoting Sonar:
> "Applications that execute SQL commands should neutralize any externally-provided values
used in those commands. Failure to do so could allow an attacker to include input that changes
the query so that unintended commands are executed, or sensitive data is exposed."
> it is the case at 2 places:
> https://github.com/apache/camel/blame/master/components/camel-sql/src/main/java/org/apache/camel/processor/aggregate/jdbc/JdbcAggregationRepository.java#L288
> https://github.com/apache/camel/blame/master/components/camel-sql/src/main/java/org/apache/camel/processor/aggregate/jdbc/JdbcAggregationRepository.java#L357
> the only variable thing is the "repositoryName" so maybe there are some validation previously
which will avoid to users to inject sql code or it is something that only the Camel developer
can configure?
> even if it is the case, it might be a good idea to use some "preparedStatement" to avoid
sql injection in case previous assumptions are no more true
> I reported here because I didn't see any "security" options on the Camel open source
JIRA.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message