You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@syncope.apache.org by "Guido Wimmel (JIRA)" <ji...@apache.org> on 2013/09/19 10:03:53 UTC

[jira] [Created] (SYNCOPE-416) AttributableSearchDAOImpl / Avoid query construction with string concatenation

Guido Wimmel created SYNCOPE-416:
------------------------------------

             Summary: AttributableSearchDAOImpl / Avoid query construction with string concatenation
                 Key: SYNCOPE-416
                 URL: https://issues.apache.org/jira/browse/SYNCOPE-416
             Project: Syncope
          Issue Type: Improvement
          Components: core
    Affects Versions: 1.1.3, 1.2.0
            Reporter: Guido Wimmel
            Priority: Minor


Is there any reason why in org.apache.syncope.core.persistence.impl.AttributableSearchDAOImpl:419
the like condition is appended by string concatenation?

    query.append(" LIKE '").append(cond.getExpression()).append("'");

IMO this could open up a possible SQL injection vulnerability.

In AttributableSearchDAOImpl:387 a query parameter is used, as I would have expected.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira