From 60e27d9b92703528965c6cb7de557a402b22afb5 Mon Sep 17 00:00:00 2001
From: brinn <brinn>
Date: Wed, 14 Nov 2012 15:21:53 +0000
Subject: [PATCH] [BIS-260] Fix SQL injections for custom queries Add some
defensive checks for parameter resolution.
SVN: 27624
---
.../systemsx/cisd/openbis/plugin/query/server/DAO.java | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/server/DAO.java b/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/server/DAO.java
index 794b8471496..3de612b9693 100644
--- a/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/server/DAO.java
+++ b/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/server/DAO.java
@@ -223,7 +223,11 @@ class DAO extends SimpleJdbcDaoSupport implements IDAO
for (Entry<String, String> entry : bindingsOrNull.getBindings().entrySet())
{
template.bind(entry.getKey(), "?");
- indexMap.put(template.tryGetIndex(entry.getKey()), entry);
+ final int index = template.tryGetIndex(entry.getKey());
+ if (index >= 0)
+ {
+ indexMap.put(index, entry);
+ }
}
}
final PreparedStatement psm = con.prepareStatement(template.createText());
@@ -231,6 +235,10 @@ class DAO extends SimpleJdbcDaoSupport implements IDAO
for (int i = 1; i <= pmd.getParameterCount(); ++i)
{
final Entry<String, String> entry = indexMap.get(i - 1);
+ if (entry == null)
+ {
+ throw new SQLDataException("No variable found for for parameter " + i);
+ }
final String strValue = entry.getValue();
try
{
--
GitLab