[ https://issues.apache.org/jira/browse/FINERACT-854?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Aleksandar Vidakovic updated FINERACT-854: ------------------------------------------ Fix Version/s: 3.0.0 > Use prepared statements instead of string concatenated SQL everywhere > --------------------------------------------------------------------- > > Key: FINERACT-854 > URL: https://issues.apache.org/jira/browse/FINERACT-854 > Project: Apache Fineract > Issue Type: Improvement > Components: Security > Reporter: Michael Vorburger > Assignee: Joseph Makara > Priority: Major > Labels: beginner, scalability, security, technical > Fix For: 1.9.0, 3.0.0 > > > The Fineract code base in many places creates SQL statements through String > concatenation. This is prone to SQL injection. This is mitigated by the use > of helpers utilities such as > {{org.apache.fineract.infrastructure.core.api.ApiParameterHelper.sqlEncodeString(String)}} > and > {{org.apache.fineract.infrastructure.security.utils.SQLInjectionValidator.validateSQLInput(String)}} > but I opine that those are workarounds... the better solution, both for > security and likely also helping with performance (at least a little bit, > knowing how much would require measuring it...), would be to use JDBC > prepared statements with '?' placeholders and passing all raw arguments, > instead of embedding them in the query String. > FINERACT-808 root cause analysis brought this up, and I'm about to raise a PR > for FINERACT-808 which makes a start; the goal of this issue is to use the > new {{org.apache.fineract.infrastructure.security.utils.SQLBuilder}} > everywhere, and eventually be able to get completely rid of > {{ApiParameterHelper}} and {{SQLInjectionValidator}}. > This issue should also include work to scan the code base for places where > SQL Strings are concatenated without even using the existing helpers. > FINERACT-853 could potentially help with that. -- This message was sent by Atlassian Jira (v8.20.10#820010)