kylin-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ted Yu (JIRA)" <j...@apache.org>
Subject [jira] [Created] (KYLIN-2046) Potential injected SQL attack vulnerability in QueryService
Date Sat, 24 Sep 2016 00:01:46 GMT
Ted Yu created KYLIN-2046:
-----------------------------

             Summary: Potential injected SQL attack vulnerability in QueryService
                 Key: KYLIN-2046
                 URL: https://issues.apache.org/jira/browse/KYLIN-2046
             Project: Kylin
          Issue Type: Bug
            Reporter: Ted Yu


{code}
        String correctedSql = QueryUtil.massageSql(sqlRequest);
        if (!correctedSql.equals(sqlRequest.getSql())) {
...
        return execute(correctedSql, sqlRequest);
{code}
massageSql() uses regex to detect malformed SQL.

However, there may be SQL injection which is not detected by massageSql().



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message