You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@fineract.apache.org by "Awasum Yannick (Jira)" <ji...@apache.org> on 2020/03/08 16:59:00 UTC

[jira] [Updated] (FINERACT-854) Use prepared statements instead of string concatenated SQL everywhere

     [ https://issues.apache.org/jira/browse/FINERACT-854?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Awasum Yannick updated FINERACT-854:
------------------------------------
    Labels: beginner starer  (was: )

> Use prepared statements instead of string concatenated SQL everywhere
> ---------------------------------------------------------------------
>
>                 Key: FINERACT-854
>                 URL: https://issues.apache.org/jira/browse/FINERACT-854
>             Project: Apache Fineract
>          Issue Type: Improvement
>            Reporter: Michael Vorburger
>            Priority: Major
>              Labels: beginner, starer
>
> The Fineract code base in many places creates SQL statements through String concatenation. This is prone to SQL injection. This is mitigated by the use of helpers utilities such as {{org.apache.fineract.infrastructure.core.api.ApiParameterHelper.sqlEncodeString(String)}} and {{org.apache.fineract.infrastructure.security.utils.SQLInjectionValidator.validateSQLInput(String)}} but I opine that those are workarounds... the better solution, both for security and likely also helping with performance (at least a little bit, knowing how much would require measuring it...), would be to use JDBC prepared statements with '?' placeholders and passing all raw arguments, instead of embedding them in the query String.
> FINERACT-808 root cause analysis brought this up, and I'm about to raise a PR for FINERACT-808 which makes a start; the goal of this issue is to use the new {{org.apache.fineract.infrastructure.security.utils.SQLBuilder}} everywhere, and eventually be able to get completely rid of {{ApiParameterHelper}} and {{SQLInjectionValidator}}.
> This issue should also include work to scan the code base for places where SQL Strings are concatenated without even using the existing helpers. FINERACT-853 could potentially help with that.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)