Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Assert all input parameters used in dynamic SQL and PL/SQL #921

New issue
Copy link
New issue
Copy link
Closed
#943
Closed
Assert all input parameters used in dynamic SQL and PL/SQL#921
#943
Copy link
Assignees
PhilippSalvisberg
Labels
bugsecurity
@PhilippSalvisberg

Description

@PhilippSalvisberg
PhilippSalvisberg
opened on May 11, 2019
Issue body actions

Description

This is a generic issue. There are some places in utPLSQL that are vulnerable to SQL injections. We have

  1. find a way to identify them
  2. fix them
  3. set up an automated review mechanism to find such issues, e.g. during our automated builds

@krisrice pointed out the following example in ut_suite_manager.get_cached_suite_data

and c.object_owner = ']'||upper(a_object_owner)||q'['

This line as two issues

  1. the parameter is not asserted, in this case via sys.dbms_assert.schema_name
  2. the parameter is converted to upper case, which leads to wrong results when quoted usernames are used (see also Quoted usernames are not supported #920).

utPLSQL Version

v3.1.7.2808-develop

Metadata

Metadata

Assignees

Labels

bugsecurity

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    Morty Proxy This is a proxified and sanitized view of the page, visit original site.