[RMB-565] review if all CQL to SQL generation code is using masking - FOLIO Issue Tracker

XML

Word

Printable

Details

Type: Task
Status: Closed (View Workflow)
Priority: P3
Resolution: Done
Affects Version/s: None
Fix Version/s: 30.0.0
Labels:
- platform-backlog
- security

Template:
customfield_11100 32803
Sprint:
CP: sprint 87
Story Points:
2
Development Team:
Core: Platform

Description

In CQL to PG SQL we don't use prepared statements since the SQL is generated automatically. To avoid injection all input variables must be properly escaped. Confirm if this is the case and add any missing tests.

TestRail: Results

Attachments

Issue Links

is blocked by

RMB-189 PostgresClient should use ? placeholder to avoid SQL Injection

Open

relates to

RMB-246 migrate to reactive postgres client (vertx-pg-client)

Closed

RMB-563 SQL injection in PostgresClient.update by id

Closed

RMB-603 Index name 63 chars truncation for long table and field names

Open

RMB-803 Fix URL encoding in BuildCQL preventing CQL injection

Closed

Activity

People

Assignee:: Julian Ladisch

Reporter:: Adam Dickmeiss

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 10/Feb/20 10:42 AM

Updated:: 18/Feb/21 2:24 PM

Resolved:: 02/May/20 11:06 AM

review if all CQL to SQL generation code is using masking