[
https://issues.apache.org/jira/browse/PHOENIX-3613?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15832081#comment-15832081
]
Hadoop QA commented on PHOENIX-3613:
------------------------------------
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12848583/PHOENIX-3613.patch
against master branch at commit e7ef25eca2468e6d0a154b5e3539219f07748f22.
ATTACHMENT ID: 12848583
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:red}-1 tests included{color}. The patch doesn't appear to include
any new or modified tests.
Please justify why no new tests are needed for this
patch.
Also please list what manual steps were performed to
verify this patch.
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:red}-1 javadoc{color}. The javadoc tool appears to have generated
43 warning messages.
{color:green}+1 release audit{color}. The applied patch does not increase
the total number of release audit warnings.
{color:green}+1 lineLengths{color}. The patch does not introduce lines
longer than 100
{color:red}-1 core tests{color}. The patch failed these unit tests:
Test results:
https://builds.apache.org/job/PreCommit-PHOENIX-Build/739//testReport/
Javadoc warnings:
https://builds.apache.org/job/PreCommit-PHOENIX-Build/739//artifact/patchprocess/patchJavadocWarnings.txt
Console output:
https://builds.apache.org/job/PreCommit-PHOENIX-Build/739//console
This message is automatically generated.
> Avoid possible SQL Injection with proper input validations
> ----------------------------------------------------------
>
> Key: PHOENIX-3613
> URL: https://issues.apache.org/jira/browse/PHOENIX-3613
> Project: Phoenix
> Issue Type: Bug
> Reporter: Rajeshbabu Chintaguntla
> Assignee: Rajeshbabu Chintaguntla
> Attachments: PHOENIX-3613.patch
>
>
> There are possible SQL injections :
> Issue 1 :
> *Overview* : On line 139 of PhoenixUtil.java, the method
> executeStatementThrowException() invokes a SQL query built using input coming
> from an untrusted source. This call could allow an attacker to modify the
> statement's meaning or to execute arbitrary SQL commands.
> *Comment* : As the source SQL query can have IN clause in SQL statement,
> please use this link to fix
> http://stackoverflow.com/questions/3107044/preparedstatement-with-list-of-parameters-in-a-in-clause
> Issue 2 :
> *Overview* : On line 60 of EntityFactory.java, the method findMultiple()
> invokes a SQL query built using input coming from an untrusted source. This
> call could allow an attacker to modify the statement's meaning or to execute
> arbitrary SQL commands.
> *Comment* : Limit value can be misused as well.
> *Tagged* : Suspicious
> *Overview* : On line 154 of PhoenixUtil.java, the method executeStatement()
> invokes a SQL query built using input coming from an untrusted source. This
> call could allow an attacker to modify the statement's meaning or to execute
> arbitrary SQL commands.
> *Comment* : Applying schema to file?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
