New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DefinedAttributeTemplateEngine parsing bug #1906
Comments
This looks serious, has it been fixed? Is DefinedAttributeTemplateEngine used by default? If so, is my application vulnerable to injections? |
Unfortunately no. I'd happily review any community contributions to fix it, otherwise it's on my radar to spend some time fixing soon. I'm not quite sure how difficult the fix is. Unfortunately, it's also hard for me to evaluate whether it makes your application vulnerable to injection. But I do agree this is important to fix. |
Also, I don't think there is much security risk - you already should not be interpolating user provided data into template strings, but instead bind them as parameters. As long as all user provided data is properly bound as parameters there should be minimal risk. |
Fixed in 3.30.0 |
This fix was reverted due to breakage reported in #2084 :( |
Passing the following sql query
In
SqlStatement.java
jdbi/core/src/main/java/org/jdbi/v3/core/statement/SqlStatement.java
Line 1806 in 34a81e7
renderedSql
SELECT '\\' = '\'
(single backslash on the right side of the equals sign)SELECT '\\' = '\\'
(double backslash on the right side of the equals sign)The text was updated successfully, but these errors were encountered: