fineract-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From nazeer1100...@apache.org
Subject [4/6] fineract git commit: SQL injection validator fix
Date Mon, 11 Dec 2017 10:29:27 GMT
SQL injection validator fix


Project: http://git-wip-us.apache.org/repos/asf/fineract/repo
Commit: http://git-wip-us.apache.org/repos/asf/fineract/commit/749ec055
Tree: http://git-wip-us.apache.org/repos/asf/fineract/tree/749ec055
Diff: http://git-wip-us.apache.org/repos/asf/fineract/diff/749ec055

Branch: refs/heads/develop
Commit: 749ec055e9755f75d93fad8bb2ab4b7d6966aa48
Parents: 87e0c59
Author: Konstantin Golub <key.offecka@runbox.com>
Authored: Tue Oct 17 08:23:18 2017 -0300
Committer: Konstantin Golub <key.offecka@runbox.com>
Committed: Tue Oct 17 08:23:18 2017 -0300

----------------------------------------------------------------------
 .../infrastructure/security/utils/SQLInjectionValidator.java   | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/fineract/blob/749ec055/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java
b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java
index 60c2070..d03b2f4 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java
@@ -30,7 +30,7 @@ public class SQLInjectionValidator {
 
 	private final static String[] COMMENTS = { "--", "({", "/*", "#" };
 
-	private final static String SQL_PATTERN = "[a-zA-Z_=,\\-'!><.?\"`% ()0-9]*";
+	private final static String SQL_PATTERN = "[a-zA-Z_=,\\-'!><.?\"`% ()0-9*\n\r]*";
 
 	public final static void validateSQLInput(final String sqlSearch) {
 		String lowerCaseSQL = sqlSearch.toLowerCase();
@@ -115,9 +115,9 @@ public class SQLInjectionValidator {
 		}
 	}
 	public final static void validateAdhocQuery(final String sqlSearch) {
-		String lowerCaseSQL = sqlSearch.toLowerCase();
+		String lowerCaseSQL = sqlSearch.toLowerCase().trim();
 		for (String ddl : DDL_COMMANDS) {
-			if (lowerCaseSQL.contains(ddl)) {
+			if (lowerCaseSQL.startsWith(ddl)) {
 				throw new SQLInjectionException();
 			}
 		}


Mime
View raw message