<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 23:29:39 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[FOLIO-3645] spring-module-core: schema name SQL injection</title>
                <link>https://folio-org.atlassian.net/browse/FOLIO-3645</link>
                <project id="10290" key="FOLIO">FOLIO</project>
                    <description>&lt;p&gt;Code to check for SQL injection:&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://github.com/folio-org/spring-module-core/blob/v1.1.2/tenant/src/main/java/org/folio/spring/tenant/hibernate/HibernateSchemaService.java#L139&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/spring-module-core/blob/v1.1.2/tenant/src/main/java/org/folio/spring/tenant/hibernate/HibernateSchemaService.java#L139&lt;/a&gt;&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
statement.executeUpdate(&lt;span class=&quot;code-object&quot;&gt;String&lt;/span&gt;.format(&lt;span class=&quot;code-quote&quot;&gt;&quot;CREATE SCHEMA IF NOT EXISTS %s;&quot;&lt;/span&gt;, schema));
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;&lt;a href=&quot;https://github.com/folio-org/spring-module-core/blob/v1.1.2/tenant/src/main/java/org/folio/spring/tenant/hibernate/HibernateSchemaService.java#L175&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/spring-module-core/blob/v1.1.2/tenant/src/main/java/org/folio/spring/tenant/hibernate/HibernateSchemaService.java#L175&lt;/a&gt;&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
statement.executeUpdate(&lt;span class=&quot;code-object&quot;&gt;String&lt;/span&gt;.format(&lt;span class=&quot;code-quote&quot;&gt;&quot;DROP SCHEMA IF EXISTS %s CASCADE;&quot;&lt;/span&gt;, schema));
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;&lt;a href=&quot;https://github.com/folio-org/spring-module-core/blob/v1.1.2/tenant/src/main/java/org/folio/spring/tenant/hibernate/HibernateSchemaService.java#L181&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/spring-module-core/blob/v1.1.2/tenant/src/main/java/org/folio/spring/tenant/hibernate/HibernateSchemaService.java#L181&lt;/a&gt;&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
&lt;span class=&quot;code-object&quot;&gt;String&lt;/span&gt; queryTemplate = &lt;span class=&quot;code-quote&quot;&gt;&quot;SELECT EXISTS(SELECT 1 FROM information_schema.schemata WHERE schema_name = &lt;span class=&quot;code-quote&quot;&gt;&apos;%s&apos;&lt;/span&gt;);&quot;&lt;/span&gt;;
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;The third one should use a prepared statement.&lt;/p&gt;

&lt;p&gt;A first and second cannot use a prepared statement because PostgreSQL doesn&apos;t support it for CREATE SCHEMA and DROP SCHEMA. Instead the schema name must be validated before use to mitigate any SQL injection attack.&lt;/p&gt;</description>
                <environment></environment>
        <key id="82437">FOLIO-3645</key>
            <summary>spring-module-core: schema name SQL injection</summary>
                <type id="10001" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10303?size=medium">Bug</type>
                                            <priority id="10002" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p3.svg">P3</priority>
                        <status id="6" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="green"/>
                                    <resolution id="10003">Done</resolution>
                                                        <assignee accountid="557058:ddc9bb7b-6444-4731-9688-566a04c9307c">Jeremy Huff</assignee>
                                                                <reporter accountid="5ee89462f7aa140abd82d11d">Julian Ladisch</reporter>
                                    <labels>
                            <label>Security</label>
                            <label>security-reviewed</label>
                    </labels>
                <created>Mon, 21 Nov 2022 17:44:59 +0000</created>
                <updated>Wed, 8 Mar 2023 15:21:31 +0000</updated>
                            <resolved>Wed, 8 Mar 2023 15:21:31 +0000</resolved>
                                                                        <due></due>
                            <votes>0</votes>
                                    <watches>2</watches>
                                                                <comments>
                                                            <comment id="198408" author="557058:abe52938-e5a4-4b11-be6c-c0d83a4b2577" created="Mon, 21 Nov 2022 20:28:09 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5ee89462f7aa140abd82d11d&quot; class=&quot;user-hover&quot; rel=&quot;5ee89462f7aa140abd82d11d&quot; data-account-id=&quot;5ee89462f7aa140abd82d11d&quot; accountid=&quot;5ee89462f7aa140abd82d11d&quot; rel=&quot;noreferrer&quot;&gt;Julian Ladisch&lt;/a&gt;, thanks for finding this vulnerability. Prepared statements should be trivial. For schema management, easy path would be a utility method (replace String.format) to validate schema with API call to Okapi. More than welcome to put in PR.&lt;/p&gt;</comment>
                    </comments>
                    <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10057" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Development Team</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10170"><![CDATA[Other dev]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10063" key="com.atlassian.jira.plugin.system.customfieldtypes:float">
                        <customfieldname>PO Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10106" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>RCA Group</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10372"><![CDATA[Implementation coding issue]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|i05tkj:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10024" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>[CHART] Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Mon, 21 Nov 2022 20:28:09 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10025" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>[CHART] Time in Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>