[Hibernate-JIRA] Created: (HHH-6672) Inserting UNION a HQL and JP-QL query string truncates the query. This makes exploiting HQL Injections easier. Security issue.
by Peter Schuler (JIRA)
Inserting UNION a HQL and JP-QL query string truncates the query. This makes exploiting HQL Injections easier. Security issue.
------------------------------------------------------------------------------------------------------------------------------
Key: HHH-6672
URL: http://opensource.atlassian.com/projects/hibernate/browse/HHH-6672
Project: Hibernate Core
Issue Type: Bug
Components: query-hql
Affects Versions: 4.0.0.CR3, 3.6.7
Environment: Mysql Database
Reporter: Peter Schuler
Inserting the word 'union' anywhere in a HQL or JP-QL query truncates the query string. I consider this a security issue because it makes exploiting HQL of JP-QL injections easier.
For example:
from Persoon p where p.persoonId = '1' --> returns just 1 entry.
But:
from Persoon p union where p.persoonId = '1' --> ignores the part after union and returns the whole table.
However:
from Persoon p unionS where p.persoonId = '1' --> or any other word results in a QuerySyntaxException as is expected.
This behaviour is documented in HHH-1050. It looks like this in a halfway implemented feature.
This undocumented behaviour is a security risk because it makes exploiting JP-QL or HQL injections a lot easier. If you can inject into the query string you can easily truncate the remainder of the query. Even if the remainder will somehow restrict the the query result.
This can be fixed changing the behaviour of the query parser by throwing a QuerySyntaxException.
ps: I'll try to add a test case but I hope I've provided enough information.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 11 months
[Hibernate-JIRA] Created: (HHH-3818) Hibernate/JBC integration doesn't property handle Entity/CollectionRegionAccessStrategy evict
by Brian Stansberry (JIRA)
Hibernate/JBC integration doesn't property handle Entity/CollectionRegionAccessStrategy evict
---------------------------------------------------------------------------------------------
Key: HHH-3818
URL: http://opensource.atlassian.com/projects/hibernate/browse/HHH-3818
Project: Hibernate Core
Issue Type: Bug
Components: caching (L2)
Affects Versions: 3.3.1
Reporter: Brian Stansberry
Assignee: Brian Stansberry
Fix For: 3.3.x
EntityRegionAccessStrategy and CollectionRegionAccessStrategy have evict(Object key) and evictAll() that say they must cause removal of items from the cache "immediately without regard for transaction isolation." The Hibernate/JBC integration is not properly handling this as the JBC removeNode calls it makes are not dealing with transactional issues. The integration needs to:
1) Perhaps suspend any ongoing tx (particularly since these calls are typically made from a tx Synchronization's afterCompletion() callback, when the tx is Status.COMMITTED and it isn't appropriate to call into the cache expecting the cache to incorporate the call into the transaction. (Alhthough I believe JBC handles this correctly by ignoring the tx, since it isn't ACTIVE).
2) Deal with the fact that the tx that is being committed is likely holding locks in JBC. This is the big issue. I believe dealing with this will a) require keeping state in the Hib/JBC integration layer's Region to track that an eviction has occurred but may not be reflected in JBC b) using JBC as a notification bus to propagate the fact of the eviction to other nodes c) attempting to evict the data from JBC locally, failing promptly in the face of lock conflicts d) including in any get() or putFromLoad() calls logic to check the state from a), again attempting to evict locally (with a very short timeout) if not yet evicted and not allowing calls to proceed into JBC until successful.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://opensource.atlassian.com/projects/hibernate/secure/Administrators....
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 11 months
[Hibernate-JIRA] Created: (HHH-6769) invalid Character - problem with aliasing
by bahadir guldiken (JIRA)
invalid Character - problem with aliasing
-----------------------------------------
Key: HHH-6769
URL: http://opensource.atlassian.com/projects/hibernate/browse/HHH-6769
Project: Hibernate Core
Issue Type: Bug
Components: core, query-hql
Affects Versions: 3.2.6
Environment: oracle 10g, glassfish2.1, solarıs 10, Hibernate3.2.6GA
Reporter: bahadir guldiken
We have a system running for months without any problem.
But somewhat it started to get intermittently:
javax.persistence.PersistenceException: org.hibernate.exception.SQLGrammarException: could not execute query
ORA-00911 illegal character
When we enabled "show_sql" from persistence.xml, we get the following query:
Hibernate: select party?dent0_.identity_id as identity1_36_, party?dent0_.description as descript2_36_, party?dent0_.identification_type_id as identifi9_36_, party?dent0_.identity_no as identity3_36_, party?dent0_.issue_date as issue4_36_, party?dent0_.lang_id as lang10_36_, party?dent0_.name as name36_, party?dent0_.party_id as party11_36_, party?dent0_.scan_image as scan6_36_, party?dent0_.validFor_end_date as validFor7_36_, party?dent0_.validFor_start_date as validFor8_36_ from party_identification party?dent0_ where party?dent0_.identity_no=?|#]
It seems the aliasing "from party_identification party?dent0_" causing the problem by putting '?'.
We suspected from locale or other things but turned away since restarting application was solving the problem for a random period.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 11 months
[Hibernate-JIRA] Created: (HHH-4857) Sharing some of the config info from Ejb3Configuration and SessionFactoryImpl
by Chris Baxter (JIRA)
Sharing some of the config info from Ejb3Configuration and SessionFactoryImpl
-----------------------------------------------------------------------------
Key: HHH-4857
URL: http://opensource.atlassian.com/projects/hibernate/browse/HHH-4857
Project: Hibernate Core
Issue Type: New Feature
Components: core, entity-manager
Reporter: Chris Baxter
Priority: Minor
In our system, we have each clients data in a separate DB instance. We're using JPA (via hibernate) on top of that to get at the data. The problem here is that for each client DB supported by one of our jboss servers, we have to have an instance of EntityManagerFactory compete with an Ejb3Configuration instance. Each config instance takes up around 20 MBs of permanent space, so if we have have 1000 client DBs supported by a jboss instance, it takes up a hugh amount of memory for information that will always be the same (the DB schemas are always the exact same in each client DB) across all EntityManagerFactory instances. So what I want to know is if there is a way to only have one instance of Ejb3Configuration that can be shared across all of the EntityManagerFactory instances that are spawning my EntityManagers. This would be huge as it would help me save many gigs of memory that never can be collected (old gen in jboss).
I prototyped some changes locally to Ejb3Configuration (to allow an instance of AnnotationConfiguration to be supplied in the constructor, allowing sharing across all instanced of this class) and to SessionFactoryImpl (to share some of the properties like entityPersisters, classMetadata and such) and I was able to reduce the footprint to 20 MBs for the first DB and then under a MB for each additional DB. The changes I made were a bit quick and dirty though, just to see if it was possible. So I'm taking out this feature request to see if this is a piece of work that you guys can do (or I can contribute after refactoring to a more suitable approach) and integrate into the main code for hibernate-core and hibernate-entitymanager. Let me know if this is something you guys think to be a valuable addition.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://opensource.atlassian.com/projects/hibernate/secure/Administrators....
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 11 months