[FOLIO-3645] spring-module-core: schema name SQL injection Created: 21/Nov/22 Updated: 08/Mar/23 Resolved: 08/Mar/23 |
|
| Status: | Closed |
| Project: | FOLIO |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Bug | Priority: | P3 |
| Reporter: | Julian Ladisch | Assignee: | Jeremy Huff |
| Resolution: | Done | Votes: | 0 |
| Labels: | Security, security-reviewed | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Sprint: | |
| Development Team: | Other dev |
| RCA Group: | Implementation coding issue |
| Description |
|
Code to check for SQL injection: statement.executeUpdate(String.format("CREATE SCHEMA IF NOT EXISTS %s;", schema)); statement.executeUpdate(String.format("DROP SCHEMA IF EXISTS %s CASCADE;", schema)); String queryTemplate = "SELECT EXISTS(SELECT 1 FROM information_schema.schemata WHERE schema_name = '%s');"; The third one should use a prepared statement. A first and second cannot use a prepared statement because PostgreSQL doesn't support it for CREATE SCHEMA and DROP SCHEMA. Instead the schema name must be validated before use to mitigate any SQL injection attack. |
| Comments |
| Comment by William Welling [ 21/Nov/22 ] |
|
Julian Ladisch, thanks for finding this vulnerability. Prepared statements should be trivial. For schema management, easy path would be a utility method (replace String.format) to validate schema with API call to Okapi. More than welcome to put in PR. |