[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-2099) Support protection against SQL injection in Query order parameter

Diego Ballve (JIRA) jira-events at lists.jboss.org
Sun Oct 14 08:33:03 EDT 2007 

    [ http://jira.jboss.com/jira/browse/JBSEAM-2099?page=comments#action_12382337 ] 
            
Diego Ballve commented on JBSEAM-2099:
--------------------------------------

Felix, I agree this is getting more complex than ideal, but If you want more complex order you have more to change than just validating the order param. But lets go through the comments:

First, backward compatibility is not broken. If list of valid params is not set, any  is still acceptable.

Second, I have not been using xml to set up queries, i needed more than what xml could offer.. but I agree It would be desirable to be able to set valid props from xml.

Third:

- more than one property: still simple, the check could verify that all props are in the valid list. And actually, I'm splitting the string on spaces, not commas.. 'e.lastname,e.firstname' would be seen as 1 prop.. if defined as valid, it would pass. ;) 

- order by child object: we actually use that, the trick is the property must appear in the select.. the way we solved it, your query would become:

SELECT e, e.department.name as depName FROM Employee e ORDER BY e.department.name

Besides, you need to say e.department.name is a valid order parameter and you need getResultList() to process the resulting.. if it is List<Object[]> then return a new List containing item[0].. Not pretty but did the trick.

Not to loose focus, the root of the problem is not to allow anything coming from a mapped requestParam.order to make it to the HQL query, unchecked. If you can restrict what fields can be exposed to web user, even better.

> Support protection against SQL injection in Query order parameter
> -----------------------------------------------------------------
>
>                 Key: JBSEAM-2099
>                 URL: http://jira.jboss.com/jira/browse/JBSEAM-2099
>             Project: JBoss Seam
>          Issue Type: Patch
>          Components: Framework
>    Affects Versions: 2.0.0.CR2
>            Reporter: Diego Ballve
>         Assigned To: Norman Richards
>            Priority: Critical
>             Fix For: 2.0.0.GA
>
>         Attachments: Query.diff
>
>
> From http://www.jboss.com/index.html?module=bb&op=viewtopic&t=119810
> The 'order' parameter gets directly concatenaded to the query.. that would allow anything to get injected in the query, possibly resulting in a security threat. This patch gives the developer extending framework Query the chance to limit the acceptable order properties.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the seam-issues mailing list