phoenix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (PHOENIX-3613) Avoid possible SQL Injection with proper input validations
Date Fri, 20 Jan 2017 18:45:26 GMT

    [ https://issues.apache.org/jira/browse/PHOENIX-3613?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15832239#comment-15832239
] 

Hudson commented on PHOENIX-3613:
---------------------------------

FAILURE: Integrated in Jenkins build Phoenix-4.8-HBase-1.2 #68 (See [https://builds.apache.org/job/Phoenix-4.8-HBase-1.2/68/])
PHOENIX-3613 Avoid possible SQL Injection with proper input (rajeshbabu: rev 23ffd4153bbc5ab29aab57c3011da45550dac682)
* (edit) phoenix-tracing-webapp/src/main/java/org/apache/phoenix/tracingwebapp/http/EntityFactory.java
* (edit) phoenix-tracing-webapp/src/main/java/org/apache/phoenix/tracingwebapp/http/TraceServlet.java


> Avoid possible SQL Injection with proper input validations
> ----------------------------------------------------------
>
>                 Key: PHOENIX-3613
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-3613
>             Project: Phoenix
>          Issue Type: Bug
>            Reporter: Rajeshbabu Chintaguntla
>            Assignee: Rajeshbabu Chintaguntla
>             Fix For: 4.10.0, 4.8.2
>
>         Attachments: PHOENIX-3613.patch
>
>
> There are possible SQL injections :
> Issue 1 :
> *Overview* : On line 139 of PhoenixUtil.java, the method executeStatementThrowException()
invokes a SQL query built using input coming from an untrusted source. This call could allow
an attacker to modify the statement's meaning or to execute arbitrary SQL commands.
> *Comment* : As the source SQL query can have IN clause in SQL statement, please use this
link to fix http://stackoverflow.com/questions/3107044/preparedstatement-with-list-of-parameters-in-a-in-clause
> Issue 2 : 
> *Overview* : On line 60 of EntityFactory.java, the method findMultiple() invokes a SQL
query built using input coming from an untrusted source. This call could allow an attacker
to modify the statement's meaning or to execute arbitrary SQL commands.
> *Comment* : Limit value can be misused as well.
> *Tagged* : Suspicious
> *Overview* : On line 154 of PhoenixUtil.java, the method executeStatement() invokes a
SQL query built using input coming from an untrusted source. This call could allow an attacker
to modify the statement's meaning or to execute arbitrary SQL commands.
> *Comment* : Applying schema to file?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message