You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ofbiz.apache.org by Leon Torres <le...@oss.minimetria.com> on 2006/07/07 21:00:39 UTC

SQL Injection risks with entity API

How robust is the entity engine API against sql injection attacks?  Consider the 
following scenario:

// get the field to order by from the request parameters
orderByField = parameters.get("orderByField");
if (orderByField == null || orderByField.trim().length() == 0) {
   orderByFeild = "partyId"; // default
}

...

parties = delegator.findByAnd("Party", conditions, 
UtilMisc.toList(orderByField)); // order by this field


What happens if the user tries to inject SQL into the orderByField parameter? 
Is there a risk?  Should I be protecting myself by validating the orderByField 
parameter or does ofbiz/JDBC already do this?

- Leon

Re: SQL Injection risks with entity API

Posted by Adrian Crum <ad...@hlmksw.com>.

Leon,

I'm glad you brought this up. It has always been a question in the back of my mind.

-Adrian


Leon Torres wrote:

> Ok I just tried to do it and it doesn't work because ofbiz validates the 
> field names, which is great.  Here's what I tried:
> 
> opportunitiesOrderBy=opportunityStageId;delete%20from%20party%20where%201=1
> 
> Results in:
> 
> Target exception: org.ofbiz.entity.GenericModelException: Field with 
> name opportunityStageId;delete from party where 1=1 not found in the 
> PartyRelationshipAndSalesOpportunity Entity
> 
> So there is no need to worry about using request parameters directly in 
> the entity engine API.
> 
> - Leon
> 
> 
> 
> Leon Torres wrote:
> 
>> How robust is the entity engine API against sql injection attacks?  
>> Consider the following scenario:
>>
>> // get the field to order by from the request parameters
>> orderByField = parameters.get("orderByField");
>> if (orderByField == null || orderByField.trim().length() == 0) {
>>   orderByFeild = "partyId"; // default
>> }
>>
>> ...
>>
>> parties = delegator.findByAnd("Party", conditions, 
>> UtilMisc.toList(orderByField)); // order by this field
>>
>>
>> What happens if the user tries to inject SQL into the orderByField 
>> parameter? Is there a risk?  Should I be protecting myself by 
>> validating the orderByField parameter or does ofbiz/JDBC already do this?
>>
>> - Leon
>>
>

Re: SQL Injection risks with entity API

Posted by Leon Torres <le...@oss.minimetria.com>.

Ok I just tried to do it and it doesn't work because ofbiz validates the field 
names, which is great.  Here's what I tried:

opportunitiesOrderBy=opportunityStageId;delete%20from%20party%20where%201=1

Results in:

Target exception: org.ofbiz.entity.GenericModelException: Field with name 
opportunityStageId;delete from party where 1=1 not found in the 
PartyRelationshipAndSalesOpportunity Entity

So there is no need to worry about using request parameters directly in the 
entity engine API.

- Leon



Leon Torres wrote:
> How robust is the entity engine API against sql injection attacks?  
> Consider the following scenario:
> 
> // get the field to order by from the request parameters
> orderByField = parameters.get("orderByField");
> if (orderByField == null || orderByField.trim().length() == 0) {
>   orderByFeild = "partyId"; // default
> }
> 
> ...
> 
> parties = delegator.findByAnd("Party", conditions, 
> UtilMisc.toList(orderByField)); // order by this field
> 
> 
> What happens if the user tries to inject SQL into the orderByField 
> parameter? Is there a risk?  Should I be protecting myself by validating 
> the orderByField parameter or does ofbiz/JDBC already do this?
> 
> - Leon
>

Re: SQL Injection risks with entity API

Posted by BJ Freeman <bj...@free-man.net>.

In my configurations, each SQL Database has its own login that is unique.
With out that login no other user can access the SQL database.

are you saying that ofbiz may create these attacks? if so how?

Leon Torres sent the following on 7/7/2006 12:00 PM:
> How robust is the entity engine API against sql injection attacks?  
> Consider the following scenario:
> 
> // get the field to order by from the request parameters
> orderByField = parameters.get("orderByField");
> if (orderByField == null || orderByField.trim().length() == 0) {
>   orderByFeild = "partyId"; // default
> }
> 
> ...
> 
> parties = delegator.findByAnd("Party", conditions, 
> UtilMisc.toList(orderByField)); // order by this field
> 
> 
> What happens if the user tries to inject SQL into the orderByField 
> parameter? Is there a risk?  Should I be protecting myself by validating 
> the orderByField parameter or does ofbiz/JDBC already do this?
> 
> - Leon
>