|
||||||||
|
This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira |
||||||||
|
||||||||
|
This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira |
||||||||
A similar problem occurs when a closing bracket ")" without a preceding opening bracket "(" is encountered. The problem occurs when a recursive grammar rule includes an exit condition that does not validate it is used inside a recursive call - thus, it can exit at any time, and not only during a recursion, when faced with the exit condition.
Specifically in hql.g, "queryRule" is defined to return (exit) if it sees CLOSE ')' or 'UNION'. These symbols are not a legitimate "exit condition" if there is no recursion currently happening, as mentioned above.
Thanks to Nadav Grossman and Ory Segal of Akamai for providing these details. At this time I have not requested a CVE ID for this flaw, as it relies on string concatenation of queries in a user application to be exploitable. However, it is a legitimate security concern that should be addressed.