Uploaded image for project: 'Seam 2'
  1. Seam 2
  2. JBSEAM-2084

(security) EJB-QL injection in org.jboss.seam.framework.Query

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Duplicate Issue
    • Affects Version/s: 2.0.0.CR2
    • Fix Version/s: 2.0.0.CR3
    • Component/s: Core
    • Labels:
      None
    • Environment:

      Hibernate, PostgreSQL

    • Workaround:
      Workaround Exists
    • Workaround Description:
      Hide

      Quick fix in derived class:

      @Name("blaList")
      public class BlaList extends EntityQuery {
      [...]
      private static final String[] ORDERS =

      {"name asc","name desc","id asc","id desc"}

      ;

      @Override
      public void setOrder(String order) {
      if (Arrays.asList(ORDERS).contains(order))

      { super.setOrder(order); }

      }

      Show
      Quick fix in derived class: @Name("blaList") public class BlaList extends EntityQuery { [...] private static final String[] ORDERS = {"name asc","name desc","id asc","id desc"} ; @Override public void setOrder(String order) { if (Arrays.asList(ORDERS).contains(order)) { super.setOrder(order); } }

      Description

      There is a security hole in class: org.jboss.seam.framework.Query in method: getRenderedEjbql(). This method generate EJB-QL query in this way:

      if ( getOrder()!=null ) builder.append(" order by ").append( getOrder() );
      return builder.toString();

      "Order" variable comes from request.

        Gliffy Diagrams

          Attachments

            Issue Links

            duplicates

            Patch - An improvement or enhancement to an existing feature or task. Includes patches submitted by community commiters. JBSEAM-2099 Support protection against SQL injection in Query order parameter

            • Critical - An upcoming version that is affected by this issue cannot be released until it's addressed. A critical bug is one that crashes the application, causes loss of data or severe memory leak.
            • Closed

              Activity

                People

                • Assignee:
                  norman.richards Norman Richards
                  Reporter:
                  antoni.jakubiak Antoni Jakubiak
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  0 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: