Orientdb: OrientDB REST batch queries are vulnerable to SQL Injection
OrientDB Version: 2.2.36
Java Version: 1.8
OS: Ubuntu 18.04
Expected behavior
In the documentation there is no option to resolve the sql injection. Batch queries are a must to preserve atomic transactions. We need support for parameters feature.
Actual behavior
I'm trying
{
"transaction" : true,
"operations" : [
{
"type" : "cmd",
"language" : "sql",
"command" : "update User set name=? where id=?"
"parameters" : ['test', '1234']
}
]
}
The query passes without any error. But there is no update to the record.
Steps to reproduce
Just run the query above.
cegprakash
All 9 comments
Hi @cegprakash
I just pushed a fix to both 3.0.x and develop, it will be released with next 3.0.8
Thanks
Luigi
luigidellaquila
on 18 Sep 2018
Sorry,
luigidellaquila
on 18 Sep 2018
Sorry, re-opening, I'll see if I can backport it to 2.2
Thanks
Luigi
luigidellaquila
on 18 Sep 2018
if possible, can you add 'parameters' support for "type" : "script" when language ='sql' as well?
cegprakash
on 18 Sep 2018
Yes, I think we can do it
Thanks
Luigi
luigidellaquila
on 18 Sep 2018
hi @cegprakash
I just pushed the fix for parameters on "script" (3.0 and 3.1), now I'm backporting it to 2.2
Thanks
Luigi
luigidellaquila
on 18 Sep 2018
Hi @cegprakash
Also v 2.2 is now fixed
Thanks
Luigi
luigidellaquila
on 18 Sep 2018
how can I get this change? Can I just download the community edition from website again?
cegprakash
on 18 Sep 2018
Hi @cegprakash
The snapshots will be available in a few minutes here
https://oss.sonatype.org/content/repositories/snapshots/com/orientechnologies/orientdb-community/
The official GA will be released in a few days (no fixed date yet)
Thanks
Luigi
luigidellaquila
on 18 Sep 2018
Related issues
careerscale
路
4Comments
zifnab87
路
4Comments
saeedtabrizi
路
3Comments
bbourgois
路
3Comments
saeedtabrizi
路
5Comments