[FOLIO-3645] spring-module-core: schema name SQL injection Created: 21/Nov/22  Updated: 08/Mar/23  Resolved: 08/Mar/23

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Bug Priority: P3
Reporter: Julian Ladisch Assignee: Jeremy Huff
Resolution: Done Votes: 0
Labels: Security, security-reviewed
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Sprint:
Development Team: Other dev
RCA Group: Implementation coding issue

 Description   

Code to check for SQL injection:

https://github.com/folio-org/spring-module-core/blob/v1.1.2/tenant/src/main/java/org/folio/spring/tenant/hibernate/HibernateSchemaService.java#L139

statement.executeUpdate(String.format("CREATE SCHEMA IF NOT EXISTS %s;", schema));

https://github.com/folio-org/spring-module-core/blob/v1.1.2/tenant/src/main/java/org/folio/spring/tenant/hibernate/HibernateSchemaService.java#L175

statement.executeUpdate(String.format("DROP SCHEMA IF EXISTS %s CASCADE;", schema));

https://github.com/folio-org/spring-module-core/blob/v1.1.2/tenant/src/main/java/org/folio/spring/tenant/hibernate/HibernateSchemaService.java#L181

String queryTemplate = "SELECT EXISTS(SELECT 1 FROM information_schema.schemata WHERE schema_name = '%s');";

The third one should use a prepared statement.

A first and second cannot use a prepared statement because PostgreSQL doesn't support it for CREATE SCHEMA and DROP SCHEMA. Instead the schema name must be validated before use to mitigate any SQL injection attack.



 Comments   
Comment by William Welling [ 21/Nov/22 ]

Julian Ladisch, thanks for finding this vulnerability. Prepared statements should be trivial. For schema management, easy path would be a utility method (replace String.format) to validate schema with API call to Okapi. More than welcome to put in PR.

Generated at Thu Feb 08 23:29:38 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.