[ https://issues.apache.org/jira/browse/OOZIE-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15334714#comment-15334714 ]
Robert Kanter commented on OOZIE-2362: -------------------------------------- Looks good; here's a few comments: # Let's avoid using Guava unless necessary. They have a tendency to remove methods or be incompatible. {code:java} List<String> params = Lists.newArrayList(); {code} can just be {code:java} List<String> params = new ArrayList<String>(); {code} # There seems to be a few places where we're getting {{bulkFilter.get(BulkResponseImpl.BULK_FILTER_STATUS)}}. Can we get that once and pass it around like we're doing with {{bulkFilter.get(BulkResponseImpl.BULK_FILTER_COORD)}}? > SQL injection in BulkJPAExecutor > -------------------------------- > > Key: OOZIE-2362 > URL: https://issues.apache.org/jira/browse/OOZIE-2362 > Project: Oozie > Issue Type: Bug > Components: core, security > Affects Versions: 4.2.0 > Reporter: thierry accart > Assignee: Peter Bacsko > Priority: Critical > Labels: patch > Fix For: trunk > > Attachments: 0001-OOZIE-2362-SQL-injection-in-BulkJPAExecutor.patch, > OOZIE-2362-001.patch > > > In method inClause of org.apache.oozie.executor.jpa.BulkJPAExecutor there is > a poosibility for SQL injection > (https://www.owasp.org/index.php/SQL_injection) : there is no validation of > content of string name before it's included in sql script, opening a > possibility for a malicious user to inject sql commands. > A simple validation of strings using .matches(...) would fix problem. -- This message was sent by Atlassian JIRA (v6.3.4#6332)