You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@oodt.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2016/05/26 21:24:13 UTC

[jira] [Commented] (OODT-927) Values passed to SQL commands should be sanitized in CAS DataSourceIngestMapper.java

    [ https://issues.apache.org/jira/browse/OODT-927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15302959#comment-15302959 ] 

ASF GitHub Bot commented on OODT-927:
-------------------------------------

GitHub user lewismc opened a pull request:

    https://github.com/apache/oodt/pull/39

    OODT-927 Values passed to SQL commands should be sanitized in CAS DataSourceIngestMapper.java

    Hi Folks,
    This PR 
     * uses prepared statements for SQL queries
     * sanitizes the variable inputs
     * implements try-with-resources if blocks for efficiency which were introduced in Java 7
     * makes commonly used strings static final string constants
     * uses @Override explicitly
     * adds a wee bit of formatting to core/pom.xml so that Tom's formatting job is not buggered.
    
    Generally speaking this cuts down on a alot of code, simplifies things and make it more modern across the concerned package.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/lewismc/oodt master

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/oodt/pull/39.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #39
    
----
commit 1a1cdf1ac8e3dc48187f66923ffd6baa92ced3c3
Author: Lewis John McGibbney <le...@gmail.com>
Date:   2016-05-26T21:25:25Z

    OODT-927 Values passed to SQL commands should be sanitized in CAS DataSourceIngestMapper.java

----


> Values passed to SQL commands should be sanitized in CAS DataSourceIngestMapper.java
> ------------------------------------------------------------------------------------
>
>                 Key: OODT-927
>                 URL: https://issues.apache.org/jira/browse/OODT-927
>             Project: OODT
>          Issue Type: Improvement
>          Components: catalog
>    Affects Versions: 0.12
>            Reporter: Lewis John McGibbney
>            Assignee: Lewis John McGibbney
>            Priority: Critical
>             Fix For: 0.13
>
>
> Right now in [DataSourceIngestMapper.java|https://github.com/apache/oodt/blob/91d0bafe71124906bd94baad746189caf35fb39c/catalog/src/main/java/org/apache/oodt/cas/catalog/mapping/DataSourceIngestMapper.java]  values passed to SQL commands are not sanitized. Applications that execute SQL commands should neutralize any externally-provided values used in those commands. Failure to do so could allow an attacker to include input that changes the query so that unintended commands are executed, or sensitive data is exposed.
> This issue checks that method parameters are not used directly in non-Hibernate SQL statements, and that parameter binding, rather than concatenation is used in Hibernate statements.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)