You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@olingo.apache.org by "Prashanth (JIRA)" <ji...@apache.org> on 2015/06/16 15:35:01 UTC
[jira] [Created] (OLINGO-702) SQL Injection - Not validating 1=1 in
URI
Prashanth created OLINGO-702:
--------------------------------
Summary: SQL Injection - Not validating 1=1 in URI
Key: OLINGO-702
URL: https://issues.apache.org/jira/browse/OLINGO-702
Project: Olingo
Issue Type: Bug
Components: odata2-core, odata4-server
Reporter: Prashanth
I am trying to make a request with the following filter query option in the URI :
http://host:8080/odata/odata.svc/Employees?$filter = Id eq 9000 or 1 eq 1
Above request is giving all the entities ( employees details ) but olingo need to reject this as it includes 1 eq 1.
Following is my perception . Please correct me if i am wrong in any way :
Whenever request URI includes filter query option , Olingo validates the filter expression . While validating the filter query, it is checking the data type of values . i.e in the above case , 9000 is the value for the property "Id". But if the left side operand is a literal, it should reject but failing to do so.
What i am thinking here is that - Olingo should reject the request if the left side operand is a literal and not the valid property name.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)