Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Analize/(fix) if a sql-injection is possible in sql-backends #2125

Closed
AlvaroVega opened this issue Feb 2, 2022 · 3 comments
Closed

Analize/(fix) if a sql-injection is possible in sql-backends #2125

AlvaroVega opened this issue Feb 2, 2022 · 3 comments
Milestone
release/2.16.0

Comments

@AlvaroVega
Copy link
Member

AlvaroVega commented Feb 2, 2022
edited
Loading

fiware-cygnus/cygnus-common/src/main/java/com/telefonica/iot/cygnus/backends/sql/SQLQueryUtils.java

Line 498 in f686eec

stringValue = quotationMark + value.getAsString() + quotationMark;

@AlvaroVega
Copy link
Member Author

Maybe with attr_native_types = false is reducing inpact

@AlvaroVega
Copy link
Member Author 

import org.apache.commons.lang.StringEscapeUtils;
String escapedSQL = StringEscapeUtils.escapeSql(unescapedSQL);

This was referenced Feb 3, 2022
Closed
Merged
@fgalan fgalan added this to the release/2.16.0 milestone Feb 3, 2022
@fgalan
Copy link
Member

fgalan commented Feb 3, 2022

Fixed by PR #2128

@fgalan fgalan closed this as completed Feb 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
release/2.16.0
Development

No branches or pull requests
2 participants
@AlvaroVega @fgalan