Be on the lookout for code that allows SQL injection

FYI, I just wanted to make sure everyone's on the lookout for code that
allows SQL injection.  A fix was made to getIfLabelfromIfIndex in
IfLabel.java that leaves it vulnerable to SQL injection, but luckily it
is never called with user-supplied data.

Remember: whenever you're building an SQL query (or similarly, a command
to execute), never use user-provided (or browser-, REST-, etc.-provided)
data.  If you must use such data, we might want to have a standard
helper method somewhere that we call to ensure it's properly sanitized
(note: we don't want to include a chunk of code inline to sanitize
because those are troublesome to replace if someone finds a new way to
get around sanitation methods).

For more info:
http://en.wikipedia.org/wiki/SQL_injection

Lastly, we might want to make a parameterization-friendly version of
Querier to make it easier to upgrade old SQL queries in an SQL
injection-resistant manner.


        - djg

----- Original message -----
From: [hidden email]
To: [hidden email]
Date: Tue, 18 Aug 2009 19:16:14 -0400 (EDT)
Subject: [Buglist] [Bug 3310] bad DB query in IfLabel.java

http://bugzilla.opennms.org/show_bug.cgi?id=3310





------- Comment #2 from [hidden email]  2009-08-18 19:16 -------
Note: The updated getIfLabelfromIfIndex in IfLabel is vulnerable to SQL
injection attacks if the ipAddr String passed is ever provided by a
user.  I
only see it used once, for the element/interface.jsp page, and the value
for
ipAddr in that case comes from the database, so we should be safe for
now.

Wherever possible, it would be ideal to leave the code like it was
previously,
using a static query and using parameterized SQL statements.
Unfortunately,
Querier doesn't support this right now. :-(


--
Configure bugmail: http://bugzilla.opennms.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
_______________________________________________
Buglist mailing list
[hidden email]
http://lists.opennms.com/mailman/listinfo/buglist

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Please read the OpenNMS Mailing List FAQ:
http://www.opennms.org/index.php/Mailing_List_FAQ

opennms-devel mailing list

To *unsubscribe* or change your subscription options, see the bottom of this page:
https://lists.sourceforge.net/lists/listinfo/opennms-devel

On Aug 18, 2009, at 7:25 PM, DJ Gregor wrote:

> Lastly, we might want to make a parameterization-friendly version of
> Querier to make it easier to upgrade old SQL queries in an SQL
> injection-resistant manner.

Great idea. While there should be little danger to a network posed by  
owning an OpenNMS server, the latest arrest on the 130 million credit  
card number scheme showed that SQL injections are a) pretty common and  
b) pretty powerful.

We want to avoid them, of course.

-T

_______________________________________________________________________
Tarus Balog, OpenNMS Maintainer             Main:   +1 919 533 0160
The OpenNMS Group, Inc.                     Fax:    +1 773 345 3645
Email: [hidden email]                    URL: http://www.opennms.org
PGP Key Fingerprint: 8945 8521 9771 FEC9 5481  512B FECA 11D2 FD82 B45C


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Please read the OpenNMS Mailing List FAQ:
http://www.opennms.org/index.php/Mailing_List_FAQ

opennms-devel mailing list

To *unsubscribe* or change your subscription options, see the bottom of this page:
https://lists.sourceforge.net/lists/listinfo/opennms-devel

Tarus Balog wrote:
There is also the issue that not all OpenNMS deployments are in cosed
networks, and by nature machines that needs to be monitored may have
more services readily open for traffic sourced from an OpenNMS instance
than would otherwise be available to take a poke at.

> -T
>

-A

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Please read the OpenNMS Mailing List FAQ:
http://www.opennms.org/index.php/Mailing_List_FAQ

opennms-devel mailing list

To *unsubscribe* or change your subscription options, see the bottom of this page:
https://lists.sourceforge.net/lists/listinfo/opennms-devel