<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0">
<base href="https://hibernate.atlassian.net">
<title>Message Title</title>
</head>
<body class="jira" style="color: #333333; font-family: Arial, sans-serif; font-size: 14px; line-height: 1.429">
<table id="background-table" cellpadding="0" cellspacing="0" width="100%" style="border-collapse: collapse; mso-table-lspace: 0; mso-table-rspace: 0; background-color: #f5f5f5; border-collapse: collapse; mso-table-lspace: 0; mso-table-rspace: 0" bgcolor="#f5f5f5">
<!-- header here -->
<tbody>
<tr>
<td id="header-pattern-container" style="padding: 0; border-collapse: collapse; padding: 10px 20px">
<table id="header-pattern" cellspacing="0" cellpadding="0" border="0" style="border-collapse: collapse; mso-table-lspace: 0; mso-table-rspace: 0">
<tbody>
<tr>
<td id="header-avatar-image-container" valign="top" style="padding: 0; border-collapse: collapse; vertical-align: top; width: 32px; padding-right: 8px" width="32"> <img id="header-avatar-image" class="image_fix" src="https://secure.gravatar.com/avatar/e990c7cdac81e570939c4d5b17303b42?d=mm&s=48" height="32" width="32" border="0" style="border-radius: 3px; vertical-align: top"> </td>
<td id="header-text-container" valign="middle" style="padding: 0; border-collapse: collapse; vertical-align: middle; font-family: Arial, sans-serif; font-size: 14px; line-height: 20px; mso-line-height-rule: exactly; mso-text-raise: 1px"> <a class="user-hover" rel="xenoterracide" id="email_xenoterracide" href="https://hibernate.atlassian.net/secure/ViewProfile.jspa?name=xenoterracide" style="color:#6c797f;; color: #3b73af; text-decoration: none">Caleb Cushing</a> <strong>created</strong> an issue </td>
</tr>
</tbody>
</table> </td>
</tr>
<tr>
<td id="email-content-container" style="padding: 0; border-collapse: collapse; padding: 0 20px">
<table id="email-content-table" cellspacing="0" cellpadding="0" border="0" width="100%" style="border-collapse: collapse; mso-table-lspace: 0; mso-table-rspace: 0; border-spacing: 0; border-collapse: separate">
<tbody>
<tr>
<!-- there needs to be content in the cell for it to render in some clients -->
<td class="email-content-rounded-top mobile-expand" style="padding: 0; border-collapse: collapse; color: #ffffff; padding: 0 15px 0 16px; height: 15px; background-color: #ffffff; border-left: 1px solid #cccccc; border-top: 1px solid #cccccc; border-right: 1px solid #cccccc; border-bottom: 0; border-top-right-radius: 5px; border-top-left-radius: 5px; height: 10px; line-height: 10px; padding: 0 15px 0 16px; mso-line-height-rule: exactly" height="10" bgcolor="#ffffff"> </td>
</tr>
<tr>
<td class="email-content-main mobile-expand " style="padding: 0; border-collapse: collapse; border-left: 1px solid #cccccc; border-right: 1px solid #cccccc; border-top: 0; border-bottom: 0; padding: 0 15px 0 16px; background-color: #ffffff" bgcolor="#ffffff">
<table class="page-title-pattern" cellspacing="0" cellpadding="0" border="0" width="100%" style="border-collapse: collapse; mso-table-lspace: 0; mso-table-rspace: 0">
<tbody>
<tr>
<td class="page-title-pattern-first-line " style="padding: 0; border-collapse: collapse; font-family: Arial, sans-serif; font-size: 14px; padding-top: 10px"> <a href="https://hibernate.atlassian.net/browse/HHH" style="color: #3b73af; text-decoration: none">Hibernate ORM</a> / <a href="https://hibernate.atlassian.net/browse/HHH-11590" style="color: #3b73af; text-decoration: none"><img src="cid:jira-generated-image-avatar-c3e26cca-9461-4358-9c5f-6952fea37e77" height="16" width="16" border="0" align="absmiddle" alt="Bug" style="vertical-align: text-bottom"></a> <a href="https://hibernate.atlassian.net/browse/HHH-11590" style="color: #3b73af; text-decoration: none">HHH-11590</a> </td>
</tr>
<tr>
<td style="vertical-align: top;; padding: 0; border-collapse: collapse; padding-right: 5px; font-size: 20px; line-height: 30px; mso-line-height-rule: exactly" class="page-title-pattern-header-container"> <span class="page-title-pattern-header" style="font-family: Arial, sans-serif; padding: 0; font-size: 20px; line-height: 30px; mso-text-raise: 2px; mso-line-height-rule: exactly; vertical-align: middle"> <a href="https://hibernate.atlassian.net/browse/HHH-11590" style="color: #3b73af; text-decoration: none">sequence (and other?) identifiers injectable</a> </span> </td>
</tr>
</tbody>
</table> </td>
</tr>
<tr>
<td class="email-content-main mobile-expand wrapper-special-margin" style="padding: 0; border-collapse: collapse; border-left: 1px solid #cccccc; border-right: 1px solid #cccccc; border-top: 0; border-bottom: 0; padding: 0 15px 0 16px; background-color: #ffffff; padding-top: 10px; padding-bottom: 5px" bgcolor="#ffffff">
<table class="keyvalue-table" style="border-collapse: collapse; mso-table-lspace: 0; mso-table-rspace: 0">
<tbody>
<tr>
<th style="color: #707070; font: normal 14px/20px Arial, sans-serif; text-align: left; vertical-align: top; padding: 2px 0">Issue Type:</th>
<td class="has-icon" style="padding: 0; border-collapse: collapse; font: normal 14px/20px Arial, sans-serif; padding: 2px 0 2px 5px; vertical-align: top"> <img src="cid:jira-generated-image-avatar-c3e26cca-9461-4358-9c5f-6952fea37e77" height="16" width="16" border="0" align="absmiddle" alt="Bug" style="vertical-align: text-bottom"> Bug </td>
</tr>
<tr>
<th style="color: #707070; font: normal 14px/20px Arial, sans-serif; text-align: left; vertical-align: top; padding: 2px 0">Affects Versions:</th>
<td style="padding: 0; border-collapse: collapse; font: normal 14px/20px Arial, sans-serif; padding: 2px 0 2px 5px; vertical-align: top"> 5.0.12 </td>
</tr>
<tr>
<th style="color: #707070; font: normal 14px/20px Arial, sans-serif; text-align: left; vertical-align: top; padding: 2px 0">Assignee:</th>
<td style="padding: 0; border-collapse: collapse; font: normal 14px/20px Arial, sans-serif; padding: 2px 0 2px 5px; vertical-align: top"> Unassigned </td>
</tr>
<tr>
<th style="color: #707070; font: normal 14px/20px Arial, sans-serif; text-align: left; vertical-align: top; padding: 2px 0">Created:</th>
<td style="padding: 0; border-collapse: collapse; font: normal 14px/20px Arial, sans-serif; padding: 2px 0 2px 5px; vertical-align: top"> 22/Mar/2017 08:28 AM </td>
</tr>
<tr>
<th style="color: #707070; font: normal 14px/20px Arial, sans-serif; text-align: left; vertical-align: top; padding: 2px 0">Priority:</th>
<td class="has-icon" style="padding: 0; border-collapse: collapse; font: normal 14px/20px Arial, sans-serif; padding: 2px 0 2px 5px; vertical-align: top"> <img src="cid:jira-generated-image-static-critical-5a830b48-f226-48f0-b8a8-5124aaf860f4" height="16" width="16" border="0" align="absmiddle" alt="Critical" style="vertical-align: text-bottom"> Critical </td>
</tr>
<tr>
<th style="color: #707070; font: normal 14px/20px Arial, sans-serif; text-align: left; vertical-align: top; padding: 2px 0">Reporter:</th>
<td style="padding: 0; border-collapse: collapse; font: normal 14px/20px Arial, sans-serif; padding: 2px 0 2px 5px; vertical-align: top"> <a class="user-hover" rel="xenoterracide" id="email_xenoterracide" href="https://hibernate.atlassian.net/secure/ViewProfile.jspa?name=xenoterracide" style="color:#6c797f;; color: #3b73af; text-decoration: none">Caleb Cushing</a> </td>
</tr>
</tbody>
</table> </td>
</tr>
<tr>
<td class="email-content-main mobile-expand issue-description-container" style="padding: 0; border-collapse: collapse; border-left: 1px solid #cccccc; border-right: 1px solid #cccccc; border-top: 0; border-bottom: 0; padding: 0 15px 0 16px; background-color: #ffffff; padding-top: 5px; padding-bottom: 10px" bgcolor="#ffffff">
<table class="text-paragraph-pattern" cellspacing="0" cellpadding="0" border="0" width="100%" style="border-collapse: collapse; mso-table-lspace: 0; mso-table-rspace: 0; font-family: Arial, sans-serif; font-size: 14px; line-height: 20px; mso-line-height-rule: exactly; mso-text-raise: 2px">
<tbody>
<tr>
<td class="text-paragraph-pattern-container mobile-resize-text " style="padding: 0; border-collapse: collapse; padding: 0 0 10px"> <p style="margin-top:0;margin-bottom:10px;; margin: 10px 0 0; margin-top: 0">from <tt>Oracle8iDialect</tt>:374</p>
<div class="code panel" style="border-width: 1px;; border: 1px solid #cccccc; background: #f5f5f5; font-size: 12px; line-height: 1.333; font-family: monospace; border: 1px solid #cccccc; -moz-border-radius: 3px; border-radius: 3px; margin: 9px 0">
<div class="codeContent panelContent" style="padding: 9px 12px">
<pre class="code-java" style="margin: 10px 0 0; margin-top: 0; max-height: 30em; overflow: auto; white-space: pre-wrap; word-wrap: normal">
@Override
<span class="code-keyword" style="color: #000091">public</span> <span class="code-object" style="color: #910091">String</span> getSelectSequenceNextValString(<span class="code-object" style="color: #910091">String</span> sequenceName) {
<span class="code-keyword" style="color: #000091">return</span> sequenceName + <span class="code-quote" style="color: #009100">".nextval"</span>;
}
</pre>
</div>
</div> <p style="margin-top:0;margin-bottom:10px;; margin: 10px 0 0">this means that if you write code like <a href="http://stackoverflow.com/a/23267212/206466" class="external-link" rel="nofollow" style="color: #3b73af; text-decoration: none">this</a> if your sequence name comes from user input it's vulnerable to sql injection. Here's a partial proof of concept (from our code) I can write a full one if necessary.</p>
<div class="code panel" style="border-width: 1px;; border: 1px solid #cccccc; background: #f5f5f5; font-size: 12px; line-height: 1.333; font-family: monospace; border: 1px solid #cccccc; -moz-border-radius: 3px; border-radius: 3px; margin: 9px 0">
<div class="codeContent panelContent" style="padding: 9px 12px">
<pre class="code-java" style="margin: 10px 0 0; margin-top: 0; max-height: 30em; overflow: auto; white-space: pre-wrap; word-wrap: normal">
<span class="code-object" style="color: #910091">int</span> getNextCodeIntegerFromSequence( <span class="code-keyword" style="color: #000091">final</span> TestClassification classification )
{
<span class="code-object" style="color: #910091">Long</span> next = entityManager.getSession()
.doReturningWork( conn ->
{
DatabaseMetaDataDialectResolutionInfoAdapter info
= <span class="code-keyword" style="color: #000091">new</span> DatabaseMetaDataDialectResolutionInfoAdapter( conn.getMetaData() );
Dialect dialect = <span class="code-keyword" style="color: #000091">new</span> StandardDialectResolver().resolveDialect( info );
<span class="code-object" style="color: #910091">String</span> seq = classification.getCodeSequence();
/* <span class="code-keyword" style="color: #000091">if</span> ( StringUtils.containsAny( seq, dialect.openQuote(), dialect.closeQuote() )) {
<span class="code-object" style="color: #910091">String</span> msg = <span class="code-object" style="color: #910091">String</span>.format( <span class="code-quote" style="color: #009100">"classification is being nefarious: <span class="code-quote" style="color: #009100">'%s'</span>"</span>, classification );
<span class="code-keyword" style="color: #000091">throw</span> <span class="code-keyword" style="color: #000091">new</span> IllegalArgumentException( msg );
}
*/
<span class="code-object" style="color: #910091">String</span> quoted = dialect.quote( <span class="code-quote" style="color: #009100">"`"</span> + seq + <span class="code-quote" style="color: #009100">"`"</span> );
<span class="code-object" style="color: #910091">String</span> sql = dialect.getSequenceNextValString( quoted );
<span class="code-keyword" style="color: #000091">try</span> ( PreparedStatement stmt = conn.prepareStatement( sql );
ResultSet res = stmt.executeQuery() )
{
<span class="code-keyword" style="color: #000091">while</span> ( res.next() )
{
<span class="code-keyword" style="color: #000091">return</span> res.getLong( 1 );
}
}
<span class="code-object" style="color: #910091">String</span> fmt = <span class="code-quote" style="color: #009100">"something went wrong, you shouldn<span class="code-quote" style="color: #009100">'t reach <span class="code-keyword" style="color: #000091; color: #009100">this</span>, here'</span>s the "</span>
+ <span class="code-quote" style="color: #009100">"classifcation: %s"</span>;
<span class="code-keyword" style="color: #000091">throw</span> <span class="code-keyword" style="color: #000091">new</span> NoResultException( <span class="code-object" style="color: #910091">String</span>.format( fmt, classification ) );
} );
<span class="code-keyword" style="color: #000091">return</span> next.intValue();
}
</pre>
</div>
</div> <p style="margin-top:0;margin-bottom:10px;; margin: 10px 0 0">and a test</p>
<div class="code panel" style="border-width: 1px;; border: 1px solid #cccccc; background: #f5f5f5; font-size: 12px; line-height: 1.333; font-family: monospace; border: 1px solid #cccccc; -moz-border-radius: 3px; border-radius: 3px; margin: 9px 0">
<div class="codeContent panelContent" style="padding: 9px 12px">
<pre class="code-java" style="margin: 10px 0 0; margin-top: 0; max-height: 30em; overflow: auto; white-space: pre-wrap; word-wrap: normal">
@Test( expected = IllegalArgumentException.class )
<span class="code-keyword" style="color: #000091">public</span> void getNextCodeIntegerFromSequenceExploit() {
TestClassification classification = testClassificationRepo.findOne( 1L );
classification.setCodeSequence( classification.getCodeSequence() + <span class="code-quote" style="color: #009100">"\"</span>; drop table site_user; --" );
codeDao.getNextCodeIntegerFromSequence( classification ); <span class="code-comment" style="color: #808080">// <span class="code-keyword" style="color: #000091; color: #808080">throws</span>, code below never reached but left <span class="code-keyword" style="color: #000091; color: #808080">for</span>
</span> <span class="code-comment" style="color: #808080">// proof of concept testing
</span>
<span class="code-object" style="color: #910091">Integer</span> siteUserTables = codeDao.getEntityManager().getSession()
.doReturningWork( conn ->
{
<span class="code-object" style="color: #910091">String</span> sql
= <span class="code-quote" style="color: #009100">" SELECT COUNT (TABLE_NAME ) from information_schema.tables "</span>
+ <span class="code-quote" style="color: #009100">" WHERE table_name = ? "</span>;
<span class="code-keyword" style="color: #000091">try</span> ( PreparedStatement stmt = conn.prepareStatement( sql ) )
{
stmt.setString( 1, <span class="code-quote" style="color: #009100">"SITE_USER"</span> );
<span class="code-keyword" style="color: #000091">try</span> ( ResultSet res = stmt.executeQuery() )
{
<span class="code-keyword" style="color: #000091">while</span> ( res.next() )
{
<span class="code-keyword" style="color: #000091">return</span> res.getInt( 1 );
}
}
<span class="code-keyword" style="color: #000091">return</span> <span class="code-keyword" style="color: #000091">null</span>;
}
} );
assertThat( siteUserTables, greaterThan( 0 ) );
}
</pre>
</div>
</div> <p style="margin-top:0;margin-bottom:10px;; margin: 10px 0 0">it should probably be implemented as</p>
<div class="code panel" style="border-width: 1px;; border: 1px solid #cccccc; background: #f5f5f5; font-size: 12px; line-height: 1.333; font-family: monospace; border: 1px solid #cccccc; -moz-border-radius: 3px; border-radius: 3px; margin: 9px 0">
<div class="codeContent panelContent" style="padding: 9px 12px">
<pre class="code-java" style="margin: 10px 0 0; margin-top: 0; max-height: 30em; overflow: auto; white-space: pre-wrap; word-wrap: normal">
@Override
<span class="code-keyword" style="color: #000091">public</span> <span class="code-object" style="color: #910091">String</span> getSelectSequenceNextValString(<span class="code-object" style="color: #910091">String</span> sequenceName) {
<span class="code-keyword" style="color: #000091">return</span> quote( sequenceName ) + <span class="code-quote" style="color: #009100">".nextval"</span>;
}
</pre>
</div>
</div> <p style="margin-top:0;margin-bottom:10px;; margin: 10px 0 0">of course then looking at the implementation of <tt>Dialect.quote</tt>, it wouldn't actually do anything. After reviewing, oracle, h2, and postgres docs (pg says this)</p>
<blockquote style="margin: 10px 0 0; border-left: 1px solid #cccccc; color: #707070; margin-left: 19px; padding: 10px 20px">
<p style="margin-top:0;margin-bottom:10px;; margin: 10px 0 0; margin-top: 0">Note that dollar signs are not allowed in identifiers according to the letter of the SQL standard, so their use might render applications less portable.</p>
</blockquote> <p style="margin-top:0;margin-bottom:10px;; margin: 10px 0 0">I think that the quoting character for an identifier is never allowed in an identifier. So I think this can be added to the beginning of quote. <tt>StringUtils</tt> is from apache commons lang3</p>
<div class="code panel" style="border-width: 1px;; border: 1px solid #cccccc; background: #f5f5f5; font-size: 12px; line-height: 1.333; font-family: monospace; border: 1px solid #cccccc; -moz-border-radius: 3px; border-radius: 3px; margin: 9px 0">
<div class="codeContent panelContent" style="padding: 9px 12px">
<pre class="code-java" style="margin: 10px 0 0; margin-top: 0; max-height: 30em; overflow: auto; white-space: pre-wrap; word-wrap: normal">
<span class="code-keyword" style="color: #000091">if</span> ( StringUtils.containsAny( name, <span class="code-keyword" style="color: #000091">this</span>.openQuote(), <span class="code-keyword" style="color: #000091">this</span>.closeQuote() )) {
<span class="code-object" style="color: #910091">String</span> msg = <span class="code-object" style="color: #910091">String</span>.format( <span class="code-quote" style="color: #009100">"illegal characters in: <span class="code-quote" style="color: #009100">'%s'</span>"</span>, name );
<span class="code-keyword" style="color: #000091">throw</span> <span class="code-keyword" style="color: #000091">new</span> IllegalArgumentException( msg );
}
</pre>
</div>
</div> <p style="margin-top:0;margin-bottom:10px;; margin: 10px 0 0">If this plan is approved I can write a patch, including one that doesn't use commons lang 3</p> </td>
</tr>
</tbody>
</table> </td>
</tr>
<tr>
<td class="email-content-main mobile-expand " style="padding: 0; border-collapse: collapse; border-left: 1px solid #cccccc; border-right: 1px solid #cccccc; border-top: 0; border-bottom: 0; padding: 0 15px 0 16px; background-color: #ffffff" bgcolor="#ffffff"> <script type="application/ld+json">
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"description": "View Issue",
"potentialAction": {
"@type": "ViewAction",
"target": "https://hibernate.atlassian.net/browse/HHH-11590?inbox=true&",
"name": "View Issue"
},
"publisher": {
"@type": "Organization",
"name": "Atlassian",
"url": "https://www.atlassian.com"
}
}
</script>
<table id="actions-pattern" cellspacing="0" cellpadding="0" border="0" width="100%" style="border-collapse: collapse; mso-table-lspace: 0; mso-table-rspace: 0; font-family: Arial, sans-serif; font-size: 14px; line-height: 20px; mso-line-height-rule: exactly; mso-text-raise: 1px">
<tbody>
<tr>
<td id="actions-pattern-container" valign="middle" style="padding: 0; border-collapse: collapse; padding: 10px 0 10px 24px; vertical-align: middle; padding-left: 0">
<table align="left" style="border-collapse: collapse; mso-table-lspace: 0; mso-table-rspace: 0">
<tbody>
<tr>
<td class="actions-pattern-action-icon-container" style="padding: 0; border-collapse: collapse; font-family: Arial, sans-serif; font-size: 14px; line-height: 20px; mso-line-height-rule: exactly; mso-text-raise: 0; vertical-align: middle"> <a href="https://hibernate.atlassian.net/browse/HHH-11590#add-comment" target="_blank" title="Add Comment" style="color: #3b73af; text-decoration: none"> <img class="actions-pattern-action-icon-image" src="cid:jira-generated-image-static-comment-icon-02a1c94f-423e-4107-a51e-cf7e8e0eb917" alt="Add Comment" title="Add Comment" height="16" width="16" border="0" style="vertical-align: middle"> </a> </td>
<td class="actions-pattern-action-text-container" style="padding: 0; border-collapse: collapse; font-family: Arial, sans-serif; font-size: 14px; line-height: 20px; mso-line-height-rule: exactly; mso-text-raise: 4px; padding-left: 5px"> <a href="https://hibernate.atlassian.net/browse/HHH-11590#add-comment" target="_blank" title="Add Comment" style="color: #3b73af; text-decoration: none">Add Comment</a> </td>
</tr>
</tbody>
</table> </td>
</tr>
</tbody>
</table> </td>
</tr>
<!-- there needs to be content in the cell for it to render in some clients -->
<tr>
<td class="email-content-rounded-bottom mobile-expand" style="padding: 0; border-collapse: collapse; color: #ffffff; padding: 0 15px 0 16px; height: 5px; line-height: 5px; background-color: #ffffff; border-top: 0; border-left: 1px solid #cccccc; border-bottom: 1px solid #cccccc; border-right: 1px solid #cccccc; border-bottom-right-radius: 5px; border-bottom-left-radius: 5px; mso-line-height-rule: exactly" height="5" bgcolor="#ffffff"> </td>
</tr>
</tbody>
</table> </td>
</tr>
<tr>
<td id="footer-pattern" style="padding: 0; border-collapse: collapse; padding: 12px 20px">
<table id="footer-pattern-container" cellspacing="0" cellpadding="0" border="0" style="border-collapse: collapse; mso-table-lspace: 0; mso-table-rspace: 0">
<tbody>
<tr>
<td id="footer-pattern-text" class="mobile-resize-text" width="100%" style="padding: 0; border-collapse: collapse; color: #999999; font-size: 12px; line-height: 18px; font-family: Arial, sans-serif; mso-line-height-rule: exactly; mso-text-raise: 2px"> This message was sent by Atlassian JIRA <span id="footer-build-information">(v1000.844.1#100035-<span title="ca7c2ca47ad02c2098e956fffbf89820cc12f6d8" data-commit-id="ca7c2ca47ad02c2098e956fffbf89820cc12f6d8}">sha1:ca7c2ca</span>)</span> </td>
<td id="footer-pattern-logo-desktop-container" valign="top" style="padding: 0; border-collapse: collapse; padding-left: 20px; vertical-align: top">
<table style="border-collapse: collapse; mso-table-lspace: 0; mso-table-rspace: 0">
<tbody>
<tr>
<td id="footer-pattern-logo-desktop-padding" style="padding: 0; border-collapse: collapse; padding-top: 3px"> <img id="footer-pattern-logo-desktop" src="cid:jira-generated-image-static-footer-desktop-logo-e8c18646-e5a7-4b38-90d9-88b952bca220" alt="Atlassian logo" title="Atlassian logo" width="169" height="36" class="image_fix"> </td>
</tr>
</tbody>
</table> </td>
</tr>
</tbody>
</table> </td>
</tr>
</tbody>
</table>
</body>
</html>