[RMB-189] PostgresClient should use ? placeholder to avoid SQL Injection - FOLIO Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Open (View Workflow)
Priority: P3
Resolution: Done
Affects Version/s: 19.2.0, 19.3.1
Fix Version/s: None
Labels:
- back-end
- core
- sprint44
- sprint45

Template:
Sprint:
CP: Roadmap backlog
Development Team:
Core: Platform

Description

A few functions already use ? as SQL placeholder for data binding:
https://github.com/folio-org/raml-module-builder/blob/f422f84/domain-models-runtime/src/main/java/org/folio/rest/persist/PostgresClient.java#L586
https://github.com/folio-org/raml-module-builder/blob/f422f84/domain-models-runtime/src/main/java/org/folio/rest/persist/PostgresClient.java#L643
https://github.com/folio-org/raml-module-builder/blob/f422f84/domain-models-runtime/src/main/java/org/folio/rest/persist/PostgresClient.java#L902

This avoids SQL Injection: https://en.wikipedia.org/wiki/SQL_injection

Rewrite all other PostgresClient functions so that they make use of ? placeholder.

TestRail: Results

Attachments

Issue Links

blocks

RMB-565 review if all CQL to SQL generation code is using masking

Closed

is blocked by

RMB-563 SQL injection in PostgresClient.update by id

Closed

relates to

DIMPT-20 Fix JSON formatting bug

Closed

RMB-199 Single quote SQL Injection in PostgresClient.delete(table, pojo, handler)

Closed

RMB-200 Single quote SQL Injection in PostgresClient.update(table, updateSection, ...)

Closed

RMB-201 Single quote SQL Injection in PostgresClient.saveBatch(table, list, handler)

Closed

RMB-261 Unit tests takes forever on Windows

Closed

(2 relates to)

Activity

People

Assignee:: Julian Ladisch

Reporter:: Julian Ladisch

Tester Assignee:: Adam Dickmeiss (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 19/Jul/18 3:04 PM

Updated:: 05/Jul/21 10:14 AM

Resolved:: 13/Aug/18 12:41 PM

PostgresClient should use ? placeholder to avoid SQL Injection