You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@kylin.apache.org by "Ted Yu (JIRA)" <ji...@apache.org> on 2016/09/24 00:01:46 UTC

[jira] [Created] (KYLIN-2046) Potential injected SQL attack vulnerability in QueryService

Ted Yu created KYLIN-2046:
-----------------------------

             Summary: Potential injected SQL attack vulnerability in QueryService
                 Key: KYLIN-2046
                 URL: https://issues.apache.org/jira/browse/KYLIN-2046
             Project: Kylin
          Issue Type: Bug
            Reporter: Ted Yu


{code}
        String correctedSql = QueryUtil.massageSql(sqlRequest);
        if (!correctedSql.equals(sqlRequest.getSql())) {
...
        return execute(correctedSql, sqlRequest);
{code}
massageSql() uses regex to detect malformed SQL.

However, there may be SQL injection which is not detected by massageSql().



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)