search

j256 / ormlite-android

ORMLite Android functionality used in conjunction with ormlite-core
http://ormlite.com/
ISC License
1.59k stars 367 forks source link

security issue -SQL Injection #81

Closed psedoykin closed 6 years ago

psedoykin commented 7 years ago

Hello, We use the lib in our application. Some company did security review our application. And it found sql injection issue in code of ormlite-android.

Part information from report:

Explanation When carried out against a client-side database, SQL injection can result in the bypassing of authentication/authorization and data corruption or exposure. The impact of a specific SQL injection vulnerability relies on the manner in which the target database is used by the application. Client-side SQL injection is often rated much lower-risk than server-side SQL injection but still may have a profound impact on multi-user applications. Any instance of rawQuery or execSQL that appeared to use format strings or concatentation was flagged by this check. com/j256/ormlite/android/AndroidDatabaseConnection.java : Cursor cursor = this.db.rawQuery("SELECT DISTINCT tbl_name FROM sqlite_master WHERE tbl_name = '" + string + "'", null); Execution Review the application for any locations where dynamic text is used in SQL statements via format strings. Recommendation Use parameterized queries. References OWASP Mobile Top 10 2012-M4 Client Side Injection: https://www.owasp.org/index.php/Mobile_Top_10_2012-M4_Client_Side_Injection

Could you fix the issue ?

psedoykin commented 7 years ago

@j256 Could you check the issue ?

daberni commented 7 years ago

you are just using it wrong. sure there can be sql injection if you just concatenate strings. just parameterize your arguments and you are fine, ormlite already offers this...

psedoykin commented 7 years ago

Hi @daberni, The issue was found by static analysis tool. So the issue is not issue how to use the lib. it is just potential security issue which found static tool in the source code of the orm-library. And it will be good if it can be fixed.

j256 commented 7 years ago

Yeah it is in the ORMLite code not from his use @daberni . I've got a fix that I need to publish.

daberni commented 7 years ago

Oh, I am really sorry @psedoykin. Then I completely misinterpreted your issue :pensive:

aaprokofyev commented 7 years ago

@j256 Great news, thank you! Could you advise please when we can expect an updated build?

j256 commented 6 years ago

Fixed. See https://github.com/j256/ormlite-android/commit/b3149efe0309dc591f5df0b3d0e612f34e427eee