You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kylin.apache.org by "Ted Yu (JIRA)" <ji...@apache.org> on 2016/09/24 00:01:46 UTC
[jira] [Created] (KYLIN-2046) Potential injected SQL attack
vulnerability in QueryService
Ted Yu created KYLIN-2046:
-----------------------------
Summary: Potential injected SQL attack vulnerability in QueryService
Key: KYLIN-2046
URL: https://issues.apache.org/jira/browse/KYLIN-2046
Project: Kylin
Issue Type: Bug
Reporter: Ted Yu
{code}
String correctedSql = QueryUtil.massageSql(sqlRequest);
if (!correctedSql.equals(sqlRequest.getSql())) {
...
return execute(correctedSql, sqlRequest);
{code}
massageSql() uses regex to detect malformed SQL.
However, there may be SQL injection which is not detected by massageSql().
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)