[hibernate-issues] [Hibernate-JIRA] Created: (HHH-6672) Inserting UNION a HQL and JP-QL query string truncates the query. This makes exploiting HQL Injections easier. Security issue.

[Peter Schuler (JIRA)]

Inserting UNION a HQL and JP-QL query string truncates the query. This makes exploiting HQL Injections easier. Security issue.
------------------------------------------------------------------------------------------------------------------------------

                 Key: HHH-6672
                 URL: http://opensource.atlassian.com/projects/hibernate/browse/HHH-6672
             Project: Hibernate Core
          Issue Type: Bug
          Components: query-hql
    Affects Versions: 4.0.0.CR3, 3.6.7
         Environment: Mysql Database
            Reporter: Peter Schuler


Inserting the word 'union' anywhere in a HQL or JP-QL query truncates the query string. I consider this a security issue because it makes exploiting HQL of JP-QL injections easier.

For example:
from Persoon p where p.persoonId = '1' --> returns just 1 entry.

But:
from Persoon p union where p.persoonId = '1' --> ignores the part after union and returns the whole table.

However: 
from Persoon p unionS where p.persoonId = '1' --> or any other word results in a QuerySyntaxException as is expected.

This behaviour is documented in HHH-1050. It looks like this in a halfway implemented feature.

This undocumented behaviour is a security risk because it makes exploiting JP-QL or HQL injections a lot easier. If you can inject into the query string you can easily truncate the remainder of the query. Even if the remainder will somehow restrict the the query result.

This can be fixed changing the behaviour of the query parser by throwing a QuerySyntaxException.

ps: I'll try to add a test case but I hope I've provided enough information.



--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira