Skip to:

Skip to Jira Navigation
Skip to Side Navigation
Skip to Main Content

Single quote SQL Injection in PostgresClient.delete(table, pojo, handler)

Description

Invoke PostgresClient.delete(table, pojo, handler) with a pojo that has a field that contains a single quote. Example in deleteSingleQuote() unit test:
https://github.com/folio-org/raml-module-builder/blob/8f1e06d9020597208e741fe8aa618f8e051c04dd/domain-models-runtime/src/test/java/org/folio/rest/persist/PostgresClientIT.java#L346-L351

It fails with "unterminated quoted identifier", reported by PostgreSQL's SQL scanner.

CSP Request Details

None

CSP Rejection Details

None

Potential Workaround

None

Linked work items

relates to

PostgresClient should use ? placeholder to avoid SQL Injection

Single quote SQL Injection in PostgresClient.update(table, updateSection, ...)

Single quote SQL Injection in PostgresClient.saveBatch(table, list, handler)

Unit tests fail (24.1.0-SNAPSHOT)

wrong Criteria value masking results in SQL Injection

Checklist

hide

TestRail: Results

Activity

Show:

Resize issue view side panel

Done

Details
Assignee
Julian Ladisch
Reporter
Julian Ladisch
Tester Assignee
Adam Dickmeiss
Labels
back-endplatform-backlogprivacysecurity
Priority
P2
Sprint
None
Development Team
Core: Platform
Fix versions
25.0.0
TestRail: Cases
Open TestRail: Cases
TestRail: Runs
Open TestRail: Runs

Created August 13, 2018 at 7:41 AM

Updated June 15, 2020 at 8:37 AM

Resolved May 22, 2019 at 8:49 PM

TestRail: Cases

TestRail: Runs