[4/6] fineract git commit: SQL injection validator fix

Mon, 11 Dec 2017 02:29:41 -0800 

SQL injection validator fix


Project: http://git-wip-us.apache.org/repos/asf/fineract/repo
Commit: http://git-wip-us.apache.org/repos/asf/fineract/commit/749ec055
Tree: http://git-wip-us.apache.org/repos/asf/fineract/tree/749ec055
Diff: http://git-wip-us.apache.org/repos/asf/fineract/diff/749ec055

Branch: refs/heads/develop
Commit: 749ec055e9755f75d93fad8bb2ab4b7d6966aa48
Parents: 87e0c59
Author: Konstantin Golub <key.offe...@runbox.com>
Authored: Tue Oct 17 08:23:18 2017 -0300
Committer: Konstantin Golub <key.offe...@runbox.com>
Committed: Tue Oct 17 08:23:18 2017 -0300

----------------------------------------------------------------------
 .../infrastructure/security/utils/SQLInjectionValidator.java   | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/fineract/blob/749ec055/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java
----------------------------------------------------------------------
diff --git 
a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java
 
b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java
index 60c2070..d03b2f4 100644
--- 
a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java
+++ 
b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java
@@ -30,7 +30,7 @@ public class SQLInjectionValidator {
 
        private final static String[] COMMENTS = { "--", "({", "/*", "#" };
 
-       private final static String SQL_PATTERN = "[a-zA-Z_=,\\-'!><.?\"`% 
()0-9]*";
+       private final static String SQL_PATTERN = "[a-zA-Z_=,\\-'!><.?\"`% 
()0-9*\n\r]*";
 
        public final static void validateSQLInput(final String sqlSearch) {
                String lowerCaseSQL = sqlSearch.toLowerCase();
@@ -115,9 +115,9 @@ public class SQLInjectionValidator {
                }
        }
        public final static void validateAdhocQuery(final String sqlSearch) {
-               String lowerCaseSQL = sqlSearch.toLowerCase();
+               String lowerCaseSQL = sqlSearch.toLowerCase().trim();
                for (String ddl : DDL_COMMANDS) {
-                       if (lowerCaseSQL.contains(ddl)) {
+                       if (lowerCaseSQL.startsWith(ddl)) {
                                throw new SQLInjectionException();
                        }
                }

Reply via email to