Open kkolman opened 3 years ago
This looks serious, has it been fixed? Is DefinedAttributeTemplateEngine used by default? If so, is my application vulnerable to injections?
Unfortunately no. I'd happily review any community contributions to fix it, otherwise it's on my radar to spend some time fixing soon. I'm not quite sure how difficult the fix is.
Unfortunately, it's also hard for me to evaluate whether it makes your application vulnerable to injection. But I do agree this is important to fix.
@kkolman @macabrus , I opened https://github.com/jdbi/jdbi/pull/2034 which should fix this. Would either of you be able to build jdbi and verify that it fixes the issue for you? We'll include it in the next release. Thanks!
Also, I don't think there is much security risk - you already should not be interpolating user provided data into template strings, but instead bind them as parameters. As long as all user provided data is properly bound as parameters there should be minimal risk.
Fixed in 3.30.0
This fix was reverted due to breakage reported in #2084 :(
Passing the following sql query
In
SqlStatement.java
https://github.com/jdbi/jdbi/blob/34a81e7cdd7ced4156aebf9708d084f68a9b6e04/core/src/main/java/org/jdbi/v3/core/statement/SqlStatement.java#L1806renderedSql
SELECT '\\' = '\'
(single backslash on the right side of the equals sign)SELECT '\\' = '\\'
(double backslash on the right side of the equals sign)