DavidLiedle opened a new pull request, #8758:
URL: https://github.com/apache/netbeans/pull/8758
## Fix SQL injection and remove hardcoded credentials in server modules
### Summary
This PR addresses critical security vulnerabilities identified during a
security audit of the NetBeans codebase, focusing on making the project more
secure and robust.
### Changes Made
#### 1. Fixed SQL Injection Vulnerability (CRITICAL)
- **File:**
`ide/db.metadata.model/src/org/netbeans/modules/db/metadata/model/jdbc/oracle/OracleSchema.java`
- **Issue:** Direct string concatenation in SQL query vulnerable to
injection attacks
- **Fix:** Replaced `Statement` with `PreparedStatement` using
parameterized queries
- **Impact:** Prevents potential database compromise through malicious
schema names
#### 2. Removed Hardcoded Credentials (HIGH)
- **Files:**
-
`enterprise/javaee.wildfly/src/org/netbeans/modules/javaee/wildfly/util/WildFlyProperties.java`
-
`contrib/j2ee.jboss4/src/org/netbeans/modules/j2ee/jboss4/util/JBProperties.java`
- **Issue:** Default admin credentials hardcoded as "admin"/"admin"
- **Fix:** Changed to null initialization, forcing proper user
configuration
- **Impact:** Prevents unauthorized access with default credentials
### Testing
- ✅ Build successful with `ant build`
- ✅ Commit validation tests passing
- ✅ No regression in functionality
### Security Impact
These fixes improve the overall security posture of NetBeans IDE by
addressing:
- 1 Critical SQL injection vulnerability
- 2 High-risk hardcoded credential issues
---
**^Add meaningful description above**
<details open>
<summary>Click to collapse/expand PR instructions</summary>
By opening a pull request you confirm that, unless explicitly stated
otherwise, the changes -
- are all your own work, and you have the right to contribute them.
- are contributed solely under the terms and conditions of the Apache
License 2.0 (see section 5 of the license for more information).
Please make sure (eg. `git log`) that all commits have a valid name and
email address for you in the Author field.
If you're a first time contributor, see the Contributing guidelines for
more information.
If you're a committer, please label the PR before pressing "Create pull
request" so that the right test jobs can run.
### PR approval and merge checklist:
1. [ ] Was this PR [correctly
labeled](https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=240884239#PRsandYouAreviewerGuide-PRtriggeredCIJobs(conditionalCIpipeline)),
did the right tests
run? When did they run?
2. [ ] Is this PR
[squashed](https://cwiki.apache.org/confluence/display/NETBEANS/git%3A+squash+and+merge)?
3. [ ] Are author name / email address correct? Are
[co-authors](https://docs.github.com/en/pull-requests/committing-changes-to-your-project/creating-and-editing-commits/creating-a-commit-with-multiple
-authors#creating-co-authored-commits-on-the-command-line) correctly
listed? Do the commit messages need updates?
3. [ ] Does the PR title and description still fit after the Nth
iteration? Is the description sufficient to appear in the release notes?
If this PR targets the delivery branch: [don't
merge](https://cwiki.apache.org/confluence/display/NETBEANS/Pull+requests+for+delivery).
([full wiki
article](https://cwiki.apache.org/confluence/display/NETBEANS/PRs+and+You+-+A+reviewer+Guide))
</details>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
