[ https://issues.apache.org/jira/browse/FINERACT-854?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17301097#comment-17301097 ]
Michael Vorburger commented on FINERACT-854: -------------------------------------------- [~aleks] as this issue has not been worked on in ~9 months, it should not block the 1.5.0 release; I've removed the Fix Version and removed the FINERACT-1305 link. I've also Stopped Progress, and un-assigned it from [~manthan] to make it clear that this is open to be picked up by anyone else interested. > Use prepared statements instead of string concatenated SQL everywhere > --------------------------------------------------------------------- > > Key: FINERACT-854 > URL: https://issues.apache.org/jira/browse/FINERACT-854 > Project: Apache Fineract > Issue Type: Improvement > Components: Security > Reporter: Michael Vorburger > Assignee: Manthan Surkar > Priority: Major > Labels: beginner, scalability, security, technical > Fix For: 1.5.0 > > > The Fineract code base in many places creates SQL statements through String > concatenation. This is prone to SQL injection. This is mitigated by the use > of helpers utilities such as > {{org.apache.fineract.infrastructure.core.api.ApiParameterHelper.sqlEncodeString(String)}} > and > {{org.apache.fineract.infrastructure.security.utils.SQLInjectionValidator.validateSQLInput(String)}} > but I opine that those are workarounds... the better solution, both for > security and likely also helping with performance (at least a little bit, > knowing how much would require measuring it...), would be to use JDBC > prepared statements with '?' placeholders and passing all raw arguments, > instead of embedding them in the query String. > FINERACT-808 root cause analysis brought this up, and I'm about to raise a PR > for FINERACT-808 which makes a start; the goal of this issue is to use the > new {{org.apache.fineract.infrastructure.security.utils.SQLBuilder}} > everywhere, and eventually be able to get completely rid of > {{ApiParameterHelper}} and {{SQLInjectionValidator}}. > This issue should also include work to scan the code base for places where > SQL Strings are concatenated without even using the existing helpers. > FINERACT-853 could potentially help with that. -- This message was sent by Atlassian Jira (v8.3.4#803005)