You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@sentry.apache.org by "Alexander Kolbasov (JIRA)" <ji...@apache.org> on 2016/09/21 05:04:21 UTC

[jira] [Created] (SENTRY-1476) SentryStore is subject to JDQL injection

Alexander Kolbasov created SENTRY-1476:
------------------------------------------

             Summary: SentryStore is subject to JDQL injection
                 Key: SENTRY-1476
                 URL: https://issues.apache.org/jira/browse/SENTRY-1476
             Project: Sentry
          Issue Type: Bug
          Components: Core
    Affects Versions: 1.7.0, sentry-ha-redesign
            Reporter: Alexander Kolbasov


SentryStore.java has a bunch of places where the query is constructed by concatenating strings rather than using JDQL parameters. This is subject to JDQL injection since some of the parameters come from Thrift.

All strings from Thrift should be passed as parameters, not as string concatenation.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)