You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@sentry.apache.org by "Alexander Kolbasov (JIRA)" <ji...@apache.org> on 2016/09/21 05:04:21 UTC
[jira] [Created] (SENTRY-1476) SentryStore is subject to JDQL
injection
Alexander Kolbasov created SENTRY-1476:
------------------------------------------
Summary: SentryStore is subject to JDQL injection
Key: SENTRY-1476
URL: https://issues.apache.org/jira/browse/SENTRY-1476
Project: Sentry
Issue Type: Bug
Components: Core
Affects Versions: 1.7.0, sentry-ha-redesign
Reporter: Alexander Kolbasov
SentryStore.java has a bunch of places where the query is constructed by concatenating strings rather than using JDQL parameters. This is subject to JDQL injection since some of the parameters come from Thrift.
All strings from Thrift should be passed as parameters, not as string concatenation.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)