FYI, I just wanted to make sure everyone's on the lookout for code that allows SQL injection. A fix was made to getIfLabelfromIfIndex in IfLabel.java that leaves it vulnerable to SQL injection, but luckily it is never called with user-supplied data.
Remember: whenever you're building an SQL query (or similarly, a command to execute), never use user-provided (or browser-, REST-, etc.-provided) data. If you must use such data, we might want to have a standard helper method somewhere that we call to ensure it's properly sanitized (note: we don't want to include a chunk of code inline to sanitize because those are troublesome to replace if someone finds a new way to get around sanitation methods). For more info: http://en.wikipedia.org/wiki/SQL_injection Lastly, we might want to make a parameterization-friendly version of Querier to make it easier to upgrade old SQL queries in an SQL injection-resistant manner. - djg ----- Original message ----- From: bugzi...@opennms.org To: bugl...@opennms.org Date: Tue, 18 Aug 2009 19:16:14 -0400 (EDT) Subject: [Buglist] [Bug 3310] bad DB query in IfLabel.java http://bugzilla.opennms.org/show_bug.cgi?id=3310 ------- Comment #2 from d...@opennms.org 2009-08-18 19:16 ------- Note: The updated getIfLabelfromIfIndex in IfLabel is vulnerable to SQL injection attacks if the ipAddr String passed is ever provided by a user. I only see it used once, for the element/interface.jsp page, and the value for ipAddr in that case comes from the database, so we should be safe for now. Wherever possible, it would be ideal to leave the code like it was previously, using a static query and using parameterized SQL statements. Unfortunately, Querier doesn't support this right now. :-( -- Configure bugmail: http://bugzilla.opennms.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. _______________________________________________ Buglist mailing list bugl...@lists.opennms.com http://lists.opennms.com/mailman/listinfo/buglist ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Please read the OpenNMS Mailing List FAQ: http://www.opennms.org/index.php/Mailing_List_FAQ opennms-devel mailing list To *unsubscribe* or change your subscription options, see the bottom of this page: https://lists.sourceforge.net/lists/listinfo/opennms-devel
