Uploaded image for project: 'OpenNMS'
  1. OpenNMS
  2. NMS-9476

SQL injection in DefaultSurveillanceViewService

    Details

    • Sprint:
      Horizon - July 12th

      Description

      DefaultSurveillanceViewService uses a CriteriaBuilder.sql() call to filter on category names but the names are not parameterized or escaped so this is a possible SQL injection site.

      We should refactor this to avoid manually constructing the SQL query string.

      The behavior was introduced in commit 62f4577d57177d1688ed91aa9d0738fa62b57486:

      https://github.com/OpenNMS/opennms/commit/62f4577d57177d1688ed91aa9d0738fa62b57486

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                seth Seth Leger
                Reporter:
                seth Seth Leger
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: