[
https://issues.apache.org/jira/browse/CAMEL-11625?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16112307#comment-16112307
]
Claus Ibsen commented on CAMEL-11625:
-------------------------------------
And btw its the repository name, that the end user himself configures, its not
like a dynamic part of a message etc. So any risk is very low.
> Potential SQL injection in JdbcAggregationRepository
> ----------------------------------------------------
>
> Key: CAMEL-11625
> URL: https://issues.apache.org/jira/browse/CAMEL-11625
> Project: Camel
> Issue Type: Improvement
> Components: camel-sql
> Reporter: Aurélien Pupier
> Fix For: Future
>
>
> Quoting Sonar:
> "Applications that execute SQL commands should neutralize any
> externally-provided values used in those commands. Failure to do so could
> allow an attacker to include input that changes the query so that unintended
> commands are executed, or sensitive data is exposed."
> it is the case at 2 places:
> https://github.com/apache/camel/blame/master/components/camel-sql/src/main/java/org/apache/camel/processor/aggregate/jdbc/JdbcAggregationRepository.java#L288
> https://github.com/apache/camel/blame/master/components/camel-sql/src/main/java/org/apache/camel/processor/aggregate/jdbc/JdbcAggregationRepository.java#L357
> the only variable thing is the "repositoryName" so maybe there are some
> validation previously which will avoid to users to inject sql code or it is
> something that only the Camel developer can configure?
> even if it is the case, it might be a good idea to use some
> "preparedStatement" to avoid sql injection in case previous assumptions are
> no more true
> I reported here because I didn't see any "security" options on the Camel open
> source JIRA.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
