Closed Tanish0019 closed 5 months ago
@ashoke-cube
Do you need add any new test cases for the method?
I'll add one
Again wouldn't that be another security issue, that any malicious user can simply turn it off?
Oh yeah. I was thinking of an internal config but forgot this is open source and the config can just be viewed
Project ID: kafka-connect-jdbc
Project ID: kafka-connect-jdbc View in SonarQube
Problem
Ref: CC-24497
Solution
Added a check that sees if column names supplied as part of configuration do exist in at least one table. This prevents misuse of these configuration which can be used for SQL injection.
Does this solution apply anywhere else?
If yes, where?
Test Strategy
Testing done:
Release Plan
[CC-24497]: https://confluentinc.atlassian.net/browse/CC-24497?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ