[fineract] branch develop updated: FINERACT-1724: fix sql injection pattern check

Tue, 01 Aug 2023 05:06:05 -0700 

This is an automated email from the ASF dual-hosted git repository.

adamsaghy pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/fineract.git


The following commit(s) were added to refs/heads/develop by this push:
     new 987d414ac FINERACT-1724: fix sql injection pattern check
987d414ac is described below

commit 987d414ac6f29a7098951462548f54da87557bb2
Author: jmarta <[email protected]>
AuthorDate: Tue Aug 1 12:50:16 2023 +0200

    FINERACT-1724: fix sql injection pattern check
---
 .../fineract/infrastructure/security/utils/SQLCommandCondition.java     | 2 +-
 .../fineract/infrastructure/security/utils/SQLInjectionValidator.java   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git 
a/fineract-core/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLCommandCondition.java
 
b/fineract-core/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLCommandCondition.java
index 4f78ddc4a..0047a6b24 100644
--- 
a/fineract-core/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLCommandCondition.java
+++ 
b/fineract-core/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLCommandCondition.java
@@ -20,5 +20,5 @@ package org.apache.fineract.infrastructure.security.utils;
 
 public interface SQLCommandCondition {
 
-    boolean checkCondition(String command, String sql);
+    boolean checkCondition(String sql, String command);
 }
diff --git 
a/fineract-core/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java
 
b/fineract-core/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java
index ec8dd9701..75ebcb027 100644
--- 
a/fineract-core/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java
+++ 
b/fineract-core/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java
@@ -144,7 +144,7 @@ public final class SQLInjectionValidator {
 
     private static void validateSQLCommand(String lowerCaseSQL, String[] 
commands, SQLCommandCondition condition) {
         for (String command : commands) {
-            if (condition.checkCondition(command, lowerCaseSQL)) {
+            if (condition.checkCondition(lowerCaseSQL, command)) {
                 throw new SQLInjectionException();
             }
         }

Reply via email to