[RMB-379] wrong Criteria value masking results in SQL Injection - FOLIO Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: P2
Resolution: Done
Affects Version/s: 24.0.0
Fix Version/s: 25.0.0
Labels:

Template:
Sprint:
CP: sprint 64
Story Points:
2
Development Team:
Core: Platform

Description

org.folio.rest.persist.Criteria does not properly masks the value from setValue. The result must be a proper SQL String. The wrong masking results in SQL injection.

Correct masking (and wrapping into single quotes):

a -> 'a'
empty string -> ''

Wrong masking (examples, this list is not complete):

'a' -> expected '''a''', actual 'a'
O'Kapi -> expected 'O''Kapi', actual 'O'Kapi'
'' -> expected '''''', actual ''''
' -> expected '''', actual '''

TestRail: Results

Attachments

Issue Links

blocks

UIU-835 Searching by Close Parens Generates Error

Closed

relates to

RMB-803 Fix URL encoding in BuildCQL preventing CQL injection

Closed

RMB-199 Single quote SQL Injection in PostgresClient.delete(table, pojo, handler)

Closed

RMB-393 unit tests fail again

Closed

Activity

People

Assignee:: Julian Ladisch

Reporter:: Julian Ladisch

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 21/May/19 1:13 PM

Updated:: 18/Feb/21 2:24 PM

Resolved:: 03/Jun/19 1:17 PM

wrong Criteria value masking results in SQL Injection