[jira] [Commented] (OOZIE-2362) SQL injection in BulkJPAExecutor
[ https://issues.apache.org/jira/browse/OOZIE-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15337045#comment-15337045 ] Robert Kanter commented on OOZIE-2362: -- I'll fix the long lines on committing, but please take care of that next time. +1 > SQL injection in BulkJPAExecutor > > > Key: OOZIE-2362 > URL: https://issues.apache.org/jira/browse/OOZIE-2362 > Project: Oozie > Issue Type: Bug > Components: core, security >Affects Versions: 4.2.0 >Reporter: thierry accart >Assignee: Peter Bacsko >Priority: Critical > Labels: patch > Fix For: trunk > > Attachments: 0001-OOZIE-2362-SQL-injection-in-BulkJPAExecutor.patch, > OOZIE-2362-001.patch, OOZIE-2362-002.patch > > > In method inClause of org.apache.oozie.executor.jpa.BulkJPAExecutor there is > a poosibility for SQL injection > (https://www.owasp.org/index.php/SQL_injection) : there is no validation of > content of string name before it's included in sql script, opening a > possibility for a malicious user to inject sql commands. > A simple validation of strings using .matches(...) would fix problem. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OOZIE-2362) SQL injection in BulkJPAExecutor
[ https://issues.apache.org/jira/browse/OOZIE-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15335902#comment-15335902 ] Hadoop QA commented on OOZIE-2362: -- Testing JIRA OOZIE-2362 Cleaning local git workspace {color:green}+1 PATCH_APPLIES{color} {color:green}+1 CLEAN{color} {color:red}-1 RAW_PATCH_ANALYSIS{color} .{color:green}+1{color} the patch does not introduce any @author tags .{color:green}+1{color} the patch does not introduce any tabs .{color:green}+1{color} the patch does not introduce any trailing spaces .{color:red}-1{color} the patch contains 2 line(s) longer than 132 characters .{color:red}-1{color} the patch does not add/modify any testcase {color:green}+1 RAT{color} .{color:green}+1{color} the patch does not seem to introduce new RAT warnings {color:green}+1 JAVADOC{color} .{color:green}+1{color} the patch does not seem to introduce new Javadoc warnings {color:green}+1 COMPILE{color} .{color:green}+1{color} HEAD compiles .{color:green}+1{color} patch compiles .{color:green}+1{color} the patch does not seem to introduce new javac warnings {color:green}+1 BACKWARDS_COMPATIBILITY{color} .{color:green}+1{color} the patch does not change any JPA Entity/Colum/Basic/Lob/Transient annotations .{color:green}+1{color} the patch does not modify JPA files {color:red}-1 TESTS{color} .Tests run: 1787 .Tests failed: 1 .Tests errors: 0 .The patch failed the following testcases: . testBundleStatusTransitWithLock(org.apache.oozie.service.TestStatusTransitService) {color:green}+1 DISTRO{color} .{color:green}+1{color} distro tarball builds with the patch {color:red}*-1 Overall result, please check the reported -1(s)*{color} The full output of the test-patch run is available at . https://builds.apache.org/job/oozie-trunk-precommit-build/3002/ > SQL injection in BulkJPAExecutor > > > Key: OOZIE-2362 > URL: https://issues.apache.org/jira/browse/OOZIE-2362 > Project: Oozie > Issue Type: Bug > Components: core, security >Affects Versions: 4.2.0 >Reporter: thierry accart >Assignee: Peter Bacsko >Priority: Critical > Labels: patch > Fix For: trunk > > Attachments: 0001-OOZIE-2362-SQL-injection-in-BulkJPAExecutor.patch, > OOZIE-2362-001.patch, OOZIE-2362-002.patch > > > In method inClause of org.apache.oozie.executor.jpa.BulkJPAExecutor there is > a poosibility for SQL injection > (https://www.owasp.org/index.php/SQL_injection) : there is no validation of > content of string name before it's included in sql script, opening a > possibility for a malicious user to inject sql commands. > A simple validation of strings using .matches(...) would fix problem. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OOZIE-2362) SQL injection in BulkJPAExecutor
[ https://issues.apache.org/jira/browse/OOZIE-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15334714#comment-15334714 ] Robert Kanter commented on OOZIE-2362: -- Looks good; here's a few comments: # Let's avoid using Guava unless necessary. They have a tendency to remove methods or be incompatible. {code:java} List params = Lists.newArrayList(); {code} can just be {code:java} List params = new ArrayList(); {code} # There seems to be a few places where we're getting {{bulkFilter.get(BulkResponseImpl.BULK_FILTER_STATUS)}}. Can we get that once and pass it around like we're doing with {{bulkFilter.get(BulkResponseImpl.BULK_FILTER_COORD)}}? > SQL injection in BulkJPAExecutor > > > Key: OOZIE-2362 > URL: https://issues.apache.org/jira/browse/OOZIE-2362 > Project: Oozie > Issue Type: Bug > Components: core, security >Affects Versions: 4.2.0 >Reporter: thierry accart >Assignee: Peter Bacsko >Priority: Critical > Labels: patch > Fix For: trunk > > Attachments: 0001-OOZIE-2362-SQL-injection-in-BulkJPAExecutor.patch, > OOZIE-2362-001.patch > > > In method inClause of org.apache.oozie.executor.jpa.BulkJPAExecutor there is > a poosibility for SQL injection > (https://www.owasp.org/index.php/SQL_injection) : there is no validation of > content of string name before it's included in sql script, opening a > possibility for a malicious user to inject sql commands. > A simple validation of strings using .matches(...) would fix problem. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OOZIE-2362) SQL injection in BulkJPAExecutor
[ https://issues.apache.org/jira/browse/OOZIE-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15332042#comment-15332042 ] Hadoop QA commented on OOZIE-2362: -- Testing JIRA OOZIE-2362 Cleaning local git workspace {color:green}+1 PATCH_APPLIES{color} {color:green}+1 CLEAN{color} {color:red}-1 RAW_PATCH_ANALYSIS{color} .{color:green}+1{color} the patch does not introduce any @author tags .{color:green}+1{color} the patch does not introduce any tabs .{color:green}+1{color} the patch does not introduce any trailing spaces .{color:red}-1{color} the patch contains 2 line(s) longer than 132 characters .{color:red}-1{color} the patch does not add/modify any testcase {color:green}+1 RAT{color} .{color:green}+1{color} the patch does not seem to introduce new RAT warnings {color:green}+1 JAVADOC{color} .{color:green}+1{color} the patch does not seem to introduce new Javadoc warnings {color:green}+1 COMPILE{color} .{color:green}+1{color} HEAD compiles .{color:green}+1{color} patch compiles .{color:green}+1{color} the patch does not seem to introduce new javac warnings {color:green}+1 BACKWARDS_COMPATIBILITY{color} .{color:green}+1{color} the patch does not change any JPA Entity/Colum/Basic/Lob/Transient annotations .{color:green}+1{color} the patch does not modify JPA files {color:red}-1 TESTS{color} .Tests run: 1787 .Tests failed: 2 .Tests errors: 0 .The patch failed the following testcases: . testMaxMatThrottleNotPicked(org.apache.oozie.service.TestCoordMaterializeTriggerService) . testBundleStatusTransitWithLock(org.apache.oozie.service.TestStatusTransitService) {color:green}+1 DISTRO{color} .{color:green}+1{color} distro tarball builds with the patch {color:red}*-1 Overall result, please check the reported -1(s)*{color} The full output of the test-patch run is available at . https://builds.apache.org/job/oozie-trunk-precommit-build/2995/ > SQL injection in BulkJPAExecutor > > > Key: OOZIE-2362 > URL: https://issues.apache.org/jira/browse/OOZIE-2362 > Project: Oozie > Issue Type: Bug > Components: core, security >Affects Versions: 4.2.0 >Reporter: thierry accart >Assignee: Peter Bacsko >Priority: Critical > Labels: patch > Fix For: trunk > > Attachments: 0001-OOZIE-2362-SQL-injection-in-BulkJPAExecutor.patch, > OOZIE-2362-001.patch > > > In method inClause of org.apache.oozie.executor.jpa.BulkJPAExecutor there is > a poosibility for SQL injection > (https://www.owasp.org/index.php/SQL_injection) : there is no validation of > content of string name before it's included in sql script, opening a > possibility for a malicious user to inject sql commands. > A simple validation of strings using .matches(...) would fix problem. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OOZIE-2362) SQL injection in BulkJPAExecutor
[ https://issues.apache.org/jira/browse/OOZIE-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15331966#comment-15331966 ] Peter Bacsko commented on OOZIE-2362: - Examples: {code} *** Action query: SELECT a.id, a.actionNumber, a.errorCode, a.errorMessage, a.externalId, a.externalStatus, a.statusStr, a.createdTimestamp, a.nominalTimestamp, a.missingDependencies, c.id, c.appName, c.statusStr FROM CoordinatorActionBean a, CoordinatorJobBean c WHERE a.jobId = c.id AND c.bundleId = :bundleId AND a.nominalTimestamp <= :endNominal AND a.nominalTimestamp >= :startNominal AND a.createdTimestamp <= :endCreated AND a.createdTimestamp >= :startCreated AND a.statusStr IN ('FAILED','KILLED') ORDER BY a.jobId, a.createdTimestamp *** Count query: SELECT COUNT(a) FROM CoordinatorActionBean a, CoordinatorJobBean c WHERE a.jobId = c.id AND c.bundleId IN ('000-160615161217850-oozie-pbac-B') AND a.nominalTimestamp <= :endNominal AND a.nominalTimestamp >= :startNominal AND a.createdTimestamp <= :endCreated AND a.createdTimestamp >= :startCreated AND a.statusStr IN ('FAILED','KILLED') {code} vs {code} *** Action query: SELECT a.id, a.actionNumber, a.errorCode, a.errorMessage, a.externalId, a.externalStatus, a.statusStr, a.createdTimestamp, a.nominalTimestamp, a.missingDependencies, c.id, c.appName, c.statusStr FROM CoordinatorActionBean a, CoordinatorJobBean c WHERE a.jobId = c.id AND c.bundleId = :bundleId AND c.appName IN (:param0, :param1) AND a.statusStr IN (:status0) ORDER BY a.jobId, a.createdTimestamp *** count query: SELECT COUNT(a) FROM CoordinatorActionBean a, CoordinatorJobBean c WHERE a.jobId = c.id AND c.bundleId IN (:count0) AND c.appName IN (:param0, :param1) AND a.statusStr IN (:status0) Param set - count0: 000-160615160306739-oozie-pbac-B Param set - status0: KILLED Param set - param0: Coord1 Param set - param1: Coord2 {code} > SQL injection in BulkJPAExecutor > > > Key: OOZIE-2362 > URL: https://issues.apache.org/jira/browse/OOZIE-2362 > Project: Oozie > Issue Type: Bug > Components: core, security >Affects Versions: 4.2.0 >Reporter: thierry accart >Assignee: Peter Bacsko >Priority: Critical > Labels: patch > Fix For: trunk > > Attachments: 0001-OOZIE-2362-SQL-injection-in-BulkJPAExecutor.patch, > OOZIE-2362-001.patch > > > In method inClause of org.apache.oozie.executor.jpa.BulkJPAExecutor there is > a poosibility for SQL injection > (https://www.owasp.org/index.php/SQL_injection) : there is no validation of > content of string name before it's included in sql script, opening a > possibility for a malicious user to inject sql commands. > A simple validation of strings using .matches(...) would fix problem. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OOZIE-2362) SQL injection in BulkJPAExecutor
[ https://issues.apache.org/jira/browse/OOZIE-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15331628#comment-15331628 ] Peter Bacsko commented on OOZIE-2362: - I assigned this to myself. I'm soon going to provide a patch where the query is generated with named parameters. > SQL injection in BulkJPAExecutor > > > Key: OOZIE-2362 > URL: https://issues.apache.org/jira/browse/OOZIE-2362 > Project: Oozie > Issue Type: Bug > Components: core, security >Affects Versions: 4.2.0 >Reporter: thierry accart >Assignee: Peter Bacsko >Priority: Critical > Labels: patch > Fix For: trunk > > Attachments: 0001-OOZIE-2362-SQL-injection-in-BulkJPAExecutor.patch > > > In method inClause of org.apache.oozie.executor.jpa.BulkJPAExecutor there is > a poosibility for SQL injection > (https://www.owasp.org/index.php/SQL_injection) : there is no validation of > content of string name before it's included in sql script, opening a > possibility for a malicious user to inject sql commands. > A simple validation of strings using .matches(...) would fix problem. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OOZIE-2362) SQL injection in BulkJPAExecutor
[ https://issues.apache.org/jira/browse/OOZIE-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15123439#comment-15123439 ] thierry accart commented on OOZIE-2362: --- IMHO, the correct fix shall not build a sql query based on parameters : the patch is a quick fix. To make something correct, code shall never build sql query but should check parameters, reject any request with incorrect parameters, or, if all parameters are correct, use prepared statements (for example). > SQL injection in BulkJPAExecutor > > > Key: OOZIE-2362 > URL: https://issues.apache.org/jira/browse/OOZIE-2362 > Project: Oozie > Issue Type: Bug > Components: core, security >Affects Versions: 4.2.0 >Reporter: thierry accart >Priority: Critical > Labels: patch > Fix For: trunk > > Attachments: 0001-OOZIE-2362-SQL-injection-in-BulkJPAExecutor.patch > > > In method inClause of org.apache.oozie.executor.jpa.BulkJPAExecutor there is > a poosibility for SQL injection > (https://www.owasp.org/index.php/SQL_injection) : there is no validation of > content of string name before it's included in sql script, opening a > possibility for a malicious user to inject sql commands. > A simple validation of strings using .matches(...) would fix problem. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OOZIE-2362) SQL injection in BulkJPAExecutor
[ https://issues.apache.org/jira/browse/OOZIE-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15057397#comment-15057397 ] Hadoop QA commented on OOZIE-2362: -- Testing JIRA OOZIE-2362 Cleaning local git workspace {color:red}-1{color} Patch failed to apply to head of branch > SQL injection in BulkJPAExecutor > > > Key: OOZIE-2362 > URL: https://issues.apache.org/jira/browse/OOZIE-2362 > Project: Oozie > Issue Type: Bug > Components: core, security >Affects Versions: 4.2.0 >Reporter: thierry accart >Priority: Critical > Labels: patch > Fix For: trunk > > Attachments: 0001-OOZIE-2362-SQL-injection-in-BulkJPAExecutor.patch > > > In method inClause of org.apache.oozie.executor.jpa.BulkJPAExecutor there is > a poosibility for SQL injection > (https://www.owasp.org/index.php/SQL_injection) : there is no validation of > content of string name before it's included in sql script, opening a > possibility for a malicious user to inject sql commands. > A simple validation of strings using .matches(...) would fix problem. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OOZIE-2362) SQL injection in BulkJPAExecutor
[ https://issues.apache.org/jira/browse/OOZIE-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14745876#comment-14745876 ] Hadoop QA commented on OOZIE-2362: -- Testing JIRA OOZIE-2362 Cleaning local git workspace {color:red}-1{color} Patch failed to apply to head of branch > SQL injection in BulkJPAExecutor > > > Key: OOZIE-2362 > URL: https://issues.apache.org/jira/browse/OOZIE-2362 > Project: Oozie > Issue Type: Bug > Components: core, security >Affects Versions: 4.2.0 >Reporter: thierry accart >Priority: Critical > Labels: patch > Fix For: trunk > > Attachments: 0001-OOZIE-2362-SQL-injection-in-BulkJPAExecutor.patch > > > In method inClause of org.apache.oozie.executor.jpa.BulkJPAExecutor there is > a poosibility for SQL injection > (https://www.owasp.org/index.php/SQL_injection) : there is no validation of > content of string name before it's included in sql script, opening a > possibility for a malicious user to inject sql commands. > A simple validation of strings using .matches(...) would fix problem. -- This message was sent by Atlassian JIRA (v6.3.4#6332)