Code is Vulnerable to SQL Injection

Description

Hi, I noticed in hibernate-testing the following:

In OracleDatabaseCleaner.java, in clearSchema method, PreparedStatement is not used, and no input validation for variables used in the SQL command at line 101.

For example, if the user, passed (XX' OR '1'='1';--) for schemaName , then DROP TABLE statements for all schemas in the database will be generated and executed in clearSchema0.

Similar issues in other files like AbstractMySQLDatabaseCleaner.java, and DB2DatabaseCleaner.java

Activity

Show:

Dareen FadulSeptember 9, 2022 at 5:58 PM

I know that this is used for testing. My bad that I labeled it as a bug, I should’ve chosen improvement. I apologize for that!
The problem I see in such code is the copy-and-paste developers, who could copy this code and use it thinking that hibernate developers would always perform best practices. It's an opinion that's all. Thanks for your response.

Gavin KingSeptember 9, 2022 at 5:38 PM

I mean, this seems equivalent to reporting a vulnerability in JDBC, because JDBC lets me execute arbitrary SQL.

Gavin KingSeptember 9, 2022 at 5:36 PM

Can we just close this?

Christian BeikovSeptember 9, 2022 at 5:00 PM

You do realize that this is only used for automated testing, right?

Rejected

Details
Assignee
Unassigned
Reporter
Dareen Fadul
Labels
Components
Priority
Critical

Created September 9, 2022 at 4:33 PM

Updated September 12, 2022 at 10:53 AM

Resolved September 12, 2022 at 10:53 AM

Configure

Code is Vulnerable to SQL Injection

Description

Activity

Dareen FadulSeptember 9, 2022 at 5:58 PM

Gavin KingSeptember 9, 2022 at 5:38 PM

Gavin KingSeptember 9, 2022 at 5:36 PM

Christian BeikovSeptember 9, 2022 at 5:00 PM

DetailsAssigneeUnassignedUnassignedReporterDareen FadulDareen FadulLabelssecurityComponentsPriorityCritical

Details

Assignee

Reporter

Labels

Components

Priority

Details
Assignee
Unassigned
Reporter
Dareen Fadul
Labels
Components
Priority
Critical