You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@olingo.apache.org by "Christian Amend (JIRA)" <ji...@apache.org> on 2015/06/16 17:17:01 UTC

[jira] [Resolved] (OLINGO-702) SQL Injection - Not validating 1=1 in filter query

     [ https://issues.apache.org/jira/browse/OLINGO-702?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Christian Amend resolved OLINGO-702.
------------------------------------
    Resolution: Not A Problem

Hi,

actually 1 eq 1 is not an SQL injection as such. It does not make sense that is correct but if you have the permission to see an entity set any form of filter on this set can`t be a SQL injection. SQL injections would allow you to see data you are not allowed to see. Also these cases are allowed by the specification. You could also have a $filter=true expression which is valid.

The Olingo library only validates syntax and not semantics. These semantics have to be checked when implementing the Filter Visitor. Please note that when you transform such a filter string into a WHERE clause you are responsible for correclty escaping the string literals.

If you would still like to discuss this please reopen the issue.

Best Regards,
Christian

> SQL Injection - Not validating 1=1 in filter query
> --------------------------------------------------
>
>                 Key: OLINGO-702
>                 URL: https://issues.apache.org/jira/browse/OLINGO-702
>             Project: Olingo
>          Issue Type: Bug
>          Components: odata2-core, odata4-server
>            Reporter: Prashanth
>            Assignee: Christian Amend
>              Labels: filter
>
> I am trying to make a request with the following filter query option in the URI :
> http://host:8080/odata/odata.svc/Employees?$filter = Id eq 9000 or 1 eq 1
> Above request is giving all the entities ( employees details ) but olingo need to reject this as it includes 1 eq 1.
> Following is my perception  . Please correct me if i am wrong in any way :
> Whenever request URI includes filter query option , Olingo validates the filter expression . While validating the filter query, it is checking the data type of values . i.e in the above case , 9000 is the value for the property "Id". But if the left side operand is a literal, it should reject but failing to do so. 
> What i am thinking here is that - Olingo should reject the request if the left side operand is a literal and not the valid property name. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)