You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@olingo.apache.org by "Ramesh Reddy (JIRA)" <ji...@apache.org> on 2015/06/16 17:15:01 UTC
[jira] [Commented] (OLINGO-702) SQL Injection - Not validating 1=1
in filter query
[ https://issues.apache.org/jira/browse/OLINGO-702?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14588174#comment-14588174 ]
Ramesh Reddy commented on OLINGO-702:
-------------------------------------
IMO, it is mainly service developer's responsibility to have such validations and reject the queries, rather than being done at framework level. BTW, this is could be valid query, and one could also write using the alias
{code}
http://host:8080/odata/odata.svc/Employees?$filter = Id eq 9000 or 1 eq @p1?p1=1
{code}
> SQL Injection - Not validating 1=1 in filter query
> --------------------------------------------------
>
> Key: OLINGO-702
> URL: https://issues.apache.org/jira/browse/OLINGO-702
> Project: Olingo
> Issue Type: Bug
> Components: odata2-core, odata4-server
> Reporter: Prashanth
> Assignee: Christian Amend
> Labels: filter
>
> I am trying to make a request with the following filter query option in the URI :
> http://host:8080/odata/odata.svc/Employees?$filter = Id eq 9000 or 1 eq 1
> Above request is giving all the entities ( employees details ) but olingo need to reject this as it includes 1 eq 1.
> Following is my perception . Please correct me if i am wrong in any way :
> Whenever request URI includes filter query option , Olingo validates the filter expression . While validating the filter query, it is checking the data type of values . i.e in the above case , 9000 is the value for the property "Id". But if the left side operand is a literal, it should reject but failing to do so.
> What i am thinking here is that - Olingo should reject the request if the left side operand is a literal and not the valid property name.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)