Message Title

Dareen Fadul created an issue

Issue Type:	Bug
Assignee:	Unassigned
Components:	hibernate-testing
Created:	09/Sep/2022 09:33 AM
Labels:	security
Priority:	Critical
Reporter:	Dareen Fadul

Hi, I noticed in hibernate-testing the following:

In OracleDatabaseCleaner.java, in clearSchema method, PreparedStatement is not used, and no input validation for variables used in the SQL command at line 101.
https://github.com/hibernate/hibernate-orm/blob/fa8b78d345e01d980a6046f226664f28799c73e0/hibernate-testing/src/main/java/org/hibernate/testing/cleaner/OracleDatabaseCleaner.java#L101

For example, if the user, passed (XX' OR '1'='1';--) for schemaName , then DROP TABLE statements for all schemas in the database will be generated and executed in clearSchema0.

Similar issues in other files like AbstractMySQLDatabaseCleaner.java, and DB2DatabaseCleaner.java

https://github.com/hibernate/hibernate-orm/blob/fa8b78d345e01d980a6046f226664f28799c73e0/hibernate-testing/src/main/java/org/hibernate/testing/cleaner/AbstractMySQLDatabaseCleaner.java#L59

https://github.com/hibernate/hibernate-orm/blob/fa8b78d345e01d980a6046f226664f28799c73e0/hibernate-testing/src/main/java/org/hibernate/testing/cleaner/DB2DatabaseCleaner.java#L164

Add Comment

Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS

This message was sent by Atlassian Jira