[ 
https://issues.apache.org/jira/browse/FINERACT-854?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Aleksandar Vidakovic updated FINERACT-854:
------------------------------------------
    Fix Version/s: 3.0.0

> Use prepared statements instead of string concatenated SQL everywhere
> ---------------------------------------------------------------------
>
>                 Key: FINERACT-854
>                 URL: https://issues.apache.org/jira/browse/FINERACT-854
>             Project: Apache Fineract
>          Issue Type: Improvement
>          Components: Security
>            Reporter: Michael Vorburger
>            Assignee: Joseph Makara
>            Priority: Major
>              Labels: beginner, scalability, security, technical
>             Fix For: 1.9.0, 3.0.0
>
>
> The Fineract code base in many places creates SQL statements through String 
> concatenation. This is prone to SQL injection. This is mitigated by the use 
> of helpers utilities such as 
> {{org.apache.fineract.infrastructure.core.api.ApiParameterHelper.sqlEncodeString(String)}}
>  and 
> {{org.apache.fineract.infrastructure.security.utils.SQLInjectionValidator.validateSQLInput(String)}}
>  but I opine that those are workarounds... the better solution, both for 
> security and likely also helping with performance (at least a little bit, 
> knowing how much would require measuring it...), would be to use JDBC 
> prepared statements with '?' placeholders and passing all raw arguments, 
> instead of embedding them in the query String.
> FINERACT-808 root cause analysis brought this up, and I'm about to raise a PR 
> for FINERACT-808 which makes a start; the goal of this issue is to use the 
> new {{org.apache.fineract.infrastructure.security.utils.SQLBuilder}} 
> everywhere, and eventually be able to get completely rid of 
> {{ApiParameterHelper}} and {{SQLInjectionValidator}}.
> This issue should also include work to scan the code base for places where 
> SQL Strings are concatenated without even using the existing helpers. 
> FINERACT-853 could potentially help with that.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to