[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-2099) Support protection against SQL injection in Query order parameter
5:37 a.m.
Support protection against SQL injection in Query order parameter
-----------------------------------------------------------------
Key: JBSEAM-2099
URL: http://jira.jboss.com/jira/browse/JBSEAM-2099
Project: JBoss Seam
Issue Type: Patch
Components: Framework
Affects Versions: 2.0.0.CR2
Reporter: Diego Ballve
Attachments: Query.diff
The 'order' parameter gets directly concatenaded to the query.. that would allow
anything to get injected in the query, possibly resulting in a security threat. This patch
gives the developer extending framework Query the chance to limit the acceptable order
properties.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
5:37 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Updated: (JBSEAM-2099) Support protection against SQL injection in Query order parameter
[ http://jira.jboss.com/jira/browse/JBSEAM-2099?page=all ]
Diego Ballve updated JBSEAM-2099:
---------------------------------
Attachment: Query.diff
Support protection against SQL injection in Query order parameter
-----------------------------------------------------------------
Key: JBSEAM-2099
URL: http://jira.jboss.com/jira/browse/JBSEAM-2099
Project: JBoss Seam
Issue Type: Patch
Components: Framework
Affects Versions: 2.0.0.CR2
Reporter: Diego Ballve
Attachments: Query.diff
From http://www.jboss.com/index.html?module=bb&op=viewtopic&t=119810
The 'order' parameter gets directly concatenaded to the query.. that would allow
anything to get injected in the query, possibly resulting in a security threat. This patch
gives the developer extending framework Query the chance to limit the acceptable order
properties.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
12:43 p.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-2099) Support protection against SQL injection in Query order parameter
[ http://jira.jboss.com/jira/browse/JBSEAM-2099?page=comments#action_12382303 ]
Matt Drees commented on JBSEAM-2099:
------------------------------------
It looks like the patch requires order clauses to contain either ASC or DESC; I think
it'd be good to make the direction optional.
Support protection against SQL injection in Query order parameter
-----------------------------------------------------------------
Key: JBSEAM-2099
URL: http://jira.jboss.com/jira/browse/JBSEAM-2099
Project: JBoss Seam
Issue Type: Patch
Components: Framework
Affects Versions: 2.0.0.CR2
Reporter: Diego Ballve
Attachments: Query.diff
From http://www.jboss.com/index.html?module=bb&op=viewtopic&t=119810
The 'order' parameter gets directly concatenaded to the query.. that would allow
anything to get injected in the query, possibly resulting in a security threat. This patch
gives the developer extending framework Query the chance to limit the acceptable order
properties.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
2:20 p.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-2099) Support protection against SQL injection in Query order parameter
[ http://jira.jboss.com/jira/browse/JBSEAM-2099?page=comments#action_12382308 ]
Diego Ballve commented on JBSEAM-2099:
--------------------------------------
I did not realize it could be omitted. The check for parts[1] becomes:
valid &= ("".equals(parts[1]) || "ASC".equalsIgnoreCase(parts[1])
|| "DESC".equalsIgnoreCase(parts[1]));
Support protection against SQL injection in Query order parameter
-----------------------------------------------------------------
Key: JBSEAM-2099
URL: http://jira.jboss.com/jira/browse/JBSEAM-2099
Project: JBoss Seam
Issue Type: Patch
Components: Framework
Affects Versions: 2.0.0.CR2
Reporter: Diego Ballve
Attachments: Query.diff
From http://www.jboss.com/index.html?module=bb&op=viewtopic&t=119810
The 'order' parameter gets directly concatenaded to the query.. that would allow
anything to get injected in the query, possibly resulting in a security threat. This patch
gives the developer extending framework Query the chance to limit the acceptable order
properties.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
6:09 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-2099) Support protection against SQL injection in Query order parameter
[ http://jira.jboss.com/jira/browse/JBSEAM-2099?page=comments#action_12382332 ]
Felix Ho?feld commented on JBSEAM-2099:
---------------------------------------
IMHO this will not do. I may want to have more complex order clauses containing more than
one property or even properties of child objects like:
SELECT e FROM Employee e ORDER BY e.department.name, e.lastname, e.firstname
I think this will be a common use case. If the order by statement is not defined by a
single property name the patch will not work. Besides it requires that the query object is
extended, so for any users using an xml declaration (and I think this is the vast
majority) it will be useless. Finally it breaks backward compatibility: It would simply
blow up all existing applications that use the order by parameter even if it is hardcoded
into the xml and not an el expression (and that are therefore not even threatened).
As an alternative I suggest running the order against a simple regex, e.g.
if (! order.matches("^[\\w\\s\\.,]$"))
throw new IllegalArgumentException("Invalid order by clause in hql
statement: " + order);
I don't know HQL syntax well enough: In SQL this would still allow appending queries
using UNION but AFAIK UNION is not supported by HQL or JPQL.
BTW I think this bug definitely warants a backport of the final patch and an
"official" advisory.
Support protection against SQL injection in Query order parameter
-----------------------------------------------------------------
Key: JBSEAM-2099
URL: http://jira.jboss.com/jira/browse/JBSEAM-2099
Project: JBoss Seam
Issue Type: Patch
Components: Framework
Affects Versions: 2.0.0.CR2
Reporter: Diego Ballve
Attachments: Query.diff
From http://www.jboss.com/index.html?module=bb&op=viewtopic&t=119810
The 'order' parameter gets directly concatenaded to the query.. that would allow
anything to get injected in the query, possibly resulting in a security threat. This patch
gives the developer extending framework Query the chance to limit the acceptable order
properties.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
6:31 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Updated: (JBSEAM-2099) Support protection against SQL injection in Query order parameter
[ http://jira.jboss.com/jira/browse/JBSEAM-2099?page=all ]
Pete Muir updated JBSEAM-2099:
------------------------------
Fix Version/s: 2.0.0.GA
Assignee: Norman Richards
Priority: Critical (was: Major)
Support protection against SQL injection in Query order parameter
-----------------------------------------------------------------
Key: JBSEAM-2099
URL: http://jira.jboss.com/jira/browse/JBSEAM-2099
Project: JBoss Seam
Issue Type: Patch
Components: Framework
Affects Versions: 2.0.0.CR2
Reporter: Diego Ballve
Assigned To: Norman Richards
Priority: Critical
Fix For: 2.0.0.GA
Attachments: Query.diff
From http://www.jboss.com/index.html?module=bb&op=viewtopic&t=119810
The 'order' parameter gets directly concatenaded to the query.. that would allow
anything to get injected in the query, possibly resulting in a security threat. This patch
gives the developer extending framework Query the chance to limit the acceptable order
properties.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
6:33 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-2099) Support protection against SQL injection in Query order parameter
[ http://jira.jboss.com/jira/browse/JBSEAM-2099?page=comments#action_12382334 ]
Pete Muir commented on JBSEAM-2099:
-----------------------------------
Yes, I don't think Diego's solution is correct.
Support protection against SQL injection in Query order parameter
-----------------------------------------------------------------
Key: JBSEAM-2099
URL: http://jira.jboss.com/jira/browse/JBSEAM-2099
Project: JBoss Seam
Issue Type: Patch
Components: Framework
Affects Versions: 2.0.0.CR2
Reporter: Diego Ballve
Assigned To: Norman Richards
Priority: Critical
Fix For: 2.0.0.GA
Attachments: Query.diff
From http://www.jboss.com/index.html?module=bb&op=viewtopic&t=119810
The 'order' parameter gets directly concatenaded to the query.. that would allow
anything to get injected in the query, possibly resulting in a security threat. This patch
gives the developer extending framework Query the chance to limit the acceptable order
properties.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
7:33 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-2099) Support protection against SQL injection in Query order parameter
[ http://jira.jboss.com/jira/browse/JBSEAM-2099?page=comments#action_12382337 ]
Diego Ballve commented on JBSEAM-2099:
--------------------------------------
Felix, I agree this is getting more complex than ideal, but If you want more complex order
you have more to change than just validating the order param. But lets go through the
comments:
First, backward compatibility is not broken. If list of valid params is not set, any is
still acceptable.
Second, I have not been using xml to set up queries, i needed more than what xml could
offer.. but I agree It would be desirable to be able to set valid props from xml.
Third:
- more than one property: still simple, the check could verify that all props are in the
valid list. And actually, I'm splitting the string on spaces, not commas..
'e.lastname,e.firstname' would be seen as 1 prop.. if defined as valid, it would
pass. ;)
- order by child object: we actually use that, the trick is the property must appear in
the select.. the way we solved it, your query would become:
SELECT e, e.department.name as depName FROM Employee e ORDER BY e.department.name
Besides, you need to say e.department.name is a valid order parameter and you need
getResultList() to process the resulting.. if it is List<Object[]> then return a new
List containing item[0].. Not pretty but did the trick.
Not to loose focus, the root of the problem is not to allow anything coming from a mapped
requestParam.order to make it to the HQL query, unchecked. If you can restrict what fields
can be exposed to web user, even better.
Support protection against SQL injection in Query order parameter
-----------------------------------------------------------------
Key: JBSEAM-2099
URL: http://jira.jboss.com/jira/browse/JBSEAM-2099
Project: JBoss Seam
Issue Type: Patch
Components: Framework
Affects Versions: 2.0.0.CR2
Reporter: Diego Ballve
Assigned To: Norman Richards
Priority: Critical
Fix For: 2.0.0.GA
Attachments: Query.diff
From http://www.jboss.com/index.html?module=bb&op=viewtopic&t=119810
The 'order' parameter gets directly concatenaded to the query.. that would allow
anything to get injected in the query, possibly resulting in a security threat. This patch
gives the developer extending framework Query the chance to limit the acceptable order
properties.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
2:42 p.m.
New subject: [jbossseam-issues] [JBoss JIRA] Closed: (JBSEAM-2099) Support protection against SQL injection in Query order parameter
[ http://jira.jboss.com/jira/browse/JBSEAM-2099?page=all ]
Norman Richards closed JBSEAM-2099.
-----------------------------------
Resolution: Done
Thanks for catching this. After examining the issue, I implemented something very similar
to Felix's suggestion to filter out sql injection hacks without imposing any other
constraints on the parameter.
The use of the order attribute as a direct request parameter is inherently flawed. We
should change seam-gen, and perhaps the Query class itself, to support a better nothing of
sortable columns than passing text strings that get appended to the query. What we are
doing now is bad, and we should NOT be encouraging people to do it like that.
Support protection against SQL injection in Query order parameter
-----------------------------------------------------------------
Key: JBSEAM-2099
URL: http://jira.jboss.com/jira/browse/JBSEAM-2099
Project: JBoss Seam
Issue Type: Patch
Components: Framework
Affects Versions: 2.0.0.CR2
Reporter: Diego Ballve
Assigned To: Norman Richards
Priority: Critical
Fix For: 2.0.0.GA
Attachments: Query.diff
From http://www.jboss.com/index.html?module=bb&op=viewtopic&t=119810
The 'order' parameter gets directly concatenaded to the query.. that would allow
anything to get injected in the query, possibly resulting in a security threat. This patch
gives the developer extending framework Query the chance to limit the acceptable order
properties.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
6762
days inactive
6764
days old
8 comments
5 participants
participants (5)
-
Diego Ballve (JIRA) -
Felix Ho?feld (JIRA)
-
Matt Drees (JIRA)
-
Norman Richards (JIRA)
-
Pete Muir (JIRA)