You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@olingo.apache.org by "Prashanth (JIRA)" <ji...@apache.org> on 2015/06/16 15:35:01 UTC

[jira] [Created] (OLINGO-702) SQL Injection - Not validating 1=1 in URI

Prashanth created OLINGO-702:
--------------------------------

             Summary: SQL Injection - Not validating 1=1 in URI
                 Key: OLINGO-702
                 URL: https://issues.apache.org/jira/browse/OLINGO-702
             Project: Olingo
          Issue Type: Bug
          Components: odata2-core, odata4-server
            Reporter: Prashanth


I am trying to make a request with the following filter query option in the URI :

http://host:8080/odata/odata.svc/Employees?$filter = Id eq 9000 or 1 eq 1

Above request is giving all the entities ( employees details ) but olingo need to reject this as it includes 1 eq 1.

Following is my perception  . Please correct me if i am wrong in any way :

Whenever request URI includes filter query option , Olingo validates the filter expression . While validating the filter query, it is checking the data type of values . i.e in the above case , 9000 is the value for the property "Id". But if the left side operand is a literal, it should reject but failing to do so. 

What i am thinking here is that - Olingo should reject the request if the left side operand is a literal and not the valid property name. 





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)