jackrabbit-oak-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thomas Mueller (JIRA)" <j...@apache.org>
Subject [jira] [Created] (OAK-320) Query: ability to disable/enable literals in queries
Date Thu, 20 Sep 2012 09:35:07 GMT
Thomas Mueller created OAK-320:

             Summary: Query: ability to disable/enable literals in queries
                 Key: OAK-320
                 URL: https://issues.apache.org/jira/browse/OAK-320
             Project: Jackrabbit Oak
          Issue Type: Improvement
          Components: core, jcr
            Reporter: Thomas Mueller
            Assignee: Thomas Mueller
            Priority: Minor

For security reasons, literals should not be used in queries, because it is easy to forget
correctly quoting. This is specially risky for admin sessions. Example:

    qm.createQuery("select user from [acme:user] where " + 
        "name = '" + userName + "' and " + 
        "password = '" + password + "'", Query.JCR_SQL2);

Most developers know they are supposed to use bind variables, but history has shown that still
many developers (for whatever reasons) don't do it sometimes. Fortunately the JCR API does
not provide ways to manipulate data within a query, however there is still a risk, specially
for admin sessions.

A simple way to find out whether bind variables are used throughout the code is to disable
literals in queries (so that if a literal is used within a query, the query will fail to parse).
This feature could be used in unit tests only, or in production, or just for some session
(for example only admin session). 

The query parser already supports disabling literals, but there is currently no way to enable
this feature. There are multiple ways we could use to enable this switch: for example, literals
are always disabled just for admin sessions. Or literals are always disabled for all sessions
except if the session was opened with literals explicitly enabled:

    SimpleCredentials c = new SimpleCredentials(
        "admin", "admin".toCharArray());
    c.setAttribute("queryLiterals", "true");
    return getRepository().login(c);

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

View raw message