You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@kylin.apache.org by "liyang (JIRA)" <ji...@apache.org> on 2016/10/18 22:52:58 UTC
[jira] [Updated] (KYLIN-2046) Potential injected SQL attack
vulnerability in QueryService
[ https://issues.apache.org/jira/browse/KYLIN-2046?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
liyang updated KYLIN-2046:
--------------------------
Attachment: mail from SourceClear.png
> Potential injected SQL attack vulnerability in QueryService
> -----------------------------------------------------------
>
> Key: KYLIN-2046
> URL: https://issues.apache.org/jira/browse/KYLIN-2046
> Project: Kylin
> Issue Type: Bug
> Reporter: Ted Yu
> Attachments: mail from SourceClear.png
>
>
> {code}
> String correctedSql = QueryUtil.massageSql(sqlRequest);
> if (!correctedSql.equals(sqlRequest.getSql())) {
> ...
> return execute(correctedSql, sqlRequest);
> {code}
> massageSql() uses regex to detect malformed SQL.
> However, there may be SQL injection which is not detected by massageSql().
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)