[
https://issues.apache.org/jira/browse/NIFI-5253?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Pierre Villard resolved NIFI-5253.
----------------------------------
Resolution: Feedback Received
Apache NiFi 1.x is no longer maintained and no new release is planned on the
1.x release line. Marking as resolved as part of a cleanup operation. Please
open a new one with an updated description if this is still relevant for NiFi
2.x.
> GenerateTableFetch and QueryDatabaseTable use un-escaped string literals
> ------------------------------------------------------------------------
>
> Key: NIFI-5253
> URL: https://issues.apache.org/jira/browse/NIFI-5253
> Project: Apache NiFi
> Issue Type: Bug
> Affects Versions: 1.6.0
> Reporter: Michael Werle
> Priority: Major
>
> {{org.apache.nifi.processors.standard.AbstractDatabaseFetchProcessor#getLiteralByType}}
> uses un-escaped values from the database as string literals in later
> statements:
>
> {code:java}
> protected static String getLiteralByType(int type, String value, String
> databaseType) {
> // Format value based on column type. For example, strings and timestamps
> need to be quoted
> switch (type) {
> // For string-represented values, put in single quotes
> case CHAR:
> case LONGNVARCHAR:
> case LONGVARCHAR:
> case NCHAR:
> case NVARCHAR:
> case VARCHAR:
> case ROWID:
> case DATE:
> case TIME:
> return "'" + value + "'";
> ...{code}
> The value is the last computed maximum value; it is stored in the state
> manager un-escaped. Granted, this is only used for maximum value columns,
> but it will blow up on anything with a single-quote in it, and presents a
> really good opportunity for attackers who can manipulate any of these
> columns. Ideally, this method should be removed entirely and the code using
> it refactored to use standard JDBC variable binding. In the short run, using
> {{org.apache.commons.lang.StringEscapeUtils#escapeSql}} or simply replacing
> all instances of a single quote with two single quotes (the SQL escape
> mechanism) might help; I don't remember if doing so is safe or not.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
