You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@sentry.apache.org by "Alexander Kolbasov (JIRA)" <ji...@apache.org> on 2017/02/08 07:24:41 UTC

[jira] [Comment Edited] (SENTRY-1609) DelegateSentryStore is subject to JDQL injection

    [ https://issues.apache.org/jira/browse/SENTRY-1609?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15857572#comment-15857572 ] 

Alexander Kolbasov edited comment on SENTRY-1609 at 2/8/17 7:24 AM:
--------------------------------------------------------------------

It seems that the simplest way to fix it is to just rewrite {{ getGroupsByRoles() }} to call {{ delegate.getMSentryRoleByName() }} which will get a role. Then we can just walk the role groups and add each group's name to a resulting set.


was (Author: akolb):
It seems that the simplest way to fix it is to just rewrite {{getGroupsByRoles()}} to call {{delegate.getMSentryRoleByName() }} which will get a role. Then we can just walk the role groups and add each group's name to a resulting set.

> DelegateSentryStore is subject to JDQL injection
> ------------------------------------------------
>
>                 Key: SENTRY-1609
>                 URL: https://issues.apache.org/jira/browse/SENTRY-1609
>             Project: Sentry
>          Issue Type: Bug
>          Components: Sentry
>    Affects Versions: 1.8.0, sentry-ha-redesign
>            Reporter: Alexander Kolbasov
>            Assignee: Alexander Kolbasov
>         Attachments: SENTRY-1609.001.patch
>
>
> The fix for SENTRY-1476 missed one case in DelegateSntryStore that should be addressed as well.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)