[
https://issues.apache.org/jira/browse/FINERACT-682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16738483#comment-16738483
]
Vishwas Babu A J commented on FINERACT-682:
-------------------------------------------
Thanks for explaining the issue Shruthi. If I understand correctly, you are
planning to rename existing report parameters as they now do not pass
SQLInjectorValidation. There might be side effects of doing the same
-> A user interface which has hardcoded existing parameter names for embedding
context specific reports etc would break.
-> Another possible issue would be that users might have already introduced
other similarly named reporting parameters in their installations and they
would still continue to break.
Can you confirm that these is a need to validate parameter names for containing
DML and DDL substrings ? I ask since these parameter names are replaced with
their corresponding queries by fineract while executing them against the
database, so validating them against an alphanumeric regex should be
sufficient. If you can confirm that this is right, then the more appropriate
fix would be to update the validation itself
> Renaming stretchy_report parameters conflicting with sql injection
> ------------------------------------------------------------------
>
> Key: FINERACT-682
> URL: https://issues.apache.org/jira/browse/FINERACT-682
> Project: Apache Fineract
> Issue Type: Improvement
> Reporter: Shruthi M R
> Assignee: Shruthi M R
> Priority: Major
> Fix For: 1.3.0
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
