> On Dec. 14, 2016, 9:26 p.m., Vamsee Yarlagadda wrote: > > sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java, > > lines 2647-2654 > > <https://reviews.apache.org/r/54409/diff/1/?file=1577433#file1577433line2647> > > > > Can't we leverage the method used in SENTRY-1557 to make the query > > simple to construct? > > > > More reference for JDO filter constructs: > > http://etutorials.org/Programming/Java+data+objects/Chapter+9.+The+JDO+Query+Language/9.6+The+Query+Filter/
I think it is a very good idea, but I'd rather do that as a follow-up fix. The goal of this one is to preserve the existing semantics but move all user strings to parameters. I'll investigate SENTRY-1577 approach in a later change. - Alexander ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/54409/#review159226 ----------------------------------------------------------- On Dec. 6, 2016, 5:30 a.m., Alexander Kolbasov wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/54409/ > ----------------------------------------------------------- > > (Updated Dec. 6, 2016, 5:30 a.m.) > > > Review request for sentry, Colin Ma, Hao Hao, kalyan kumar kalvagadda, Sravya > Tirukkovalur, Vamsee Yarlagadda, and Vadim Spector. > > > Repository: sentry > > > Description > ------- > > SENTRY-1476: SentryStore is subject to JDQL injection > > > Diffs > ----- > > pom.xml f5134875420ed5a1156ae24092e5e203b10417c8 > > sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java > f773a4443e81c5cde3aca0056a2e33d528bf4ec9 > > sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java > 64df6a5655cf2c121cb44f2274369fbe9d70ec83 > > Diff: https://reviews.apache.org/r/54409/diff/ > > > Testing > ------- > > > Thanks, > > Alexander Kolbasov > >
