Uploaded image for project: 'RAML Module Builder'
  1. RAML Module Builder
  2. RMB-379

wrong Criteria value masking results in SQL Injection

    XMLWordPrintable

    Details

    • Template:
    • Sprint:
      CP: sprint 64
    • Story Points:
      2
    • Development Team:
      Core: Platform

      Description

      org.folio.rest.persist.Criteria does not properly masks the value from setValue. The result must be a proper SQL String. The wrong masking results in SQL injection.

      Correct masking (and wrapping into single quotes):

      a -> 'a'
      empty string -> ''
      

      Wrong masking (examples, this list is not complete):

      'a' -> expected '''a''', actual 'a'
      O'Kapi -> expected 'O''Kapi', actual 'O'Kapi'
      '' -> expected '''''', actual ''''
      ' -> expected '''', actual '''
      

        TestRail: Results

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                julianladisch Julian Ladisch
                Reporter:
                julianladisch Julian Ladisch
                Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:

                    TestRail: Runs

                      TestRail: Cases