[NMS-9476] SQL injection in DefaultSurveillanceViewService - The OpenNMS Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Resolved (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 16.0.0, Meridian-2016.1.1
Fix Version/s: 20.0.2, Meridian-2016.1.6, Meridian-2017.1.0
Component/s: Database, Web UI - Dashboard
Security Level: Default (Default Security Scheme)
Labels:
None

Sprint:
Horizon - July 12th

Description

DefaultSurveillanceViewService uses a CriteriaBuilder.sql() call to filter on category names but the names are not parameterized or escaped so this is a possible SQL injection site.

We should refactor this to avoid manually constructing the SQL query string.

The behavior was introduced in commit 62f4577d57177d1688ed91aa9d0738fa62b57486:

https://github.com/OpenNMS/opennms/commit/62f4577d57177d1688ed91aa9d0738fa62b57486

Attachments

Issue Links

depends on

NMS-9480 Add parameterized SQL support to Criteria API

Resolved

Activity

People

Assignee:

Seth Leger

Reporter:

Seth Leger

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Created:

28/Jun/17 3:02 PM

Updated:

22/Aug/17 7:54 PM

Resolved:

17/Jul/17 3:08 PM