问题
By the moment, I know four kinds of doing transactions with hibernate:
- Using objects
- Using HQL
- Using DB-specific SQL
- Using criteria (QBE)
Well, regarding how strong are they against injections, I think these are (correct me if I'm wrong):
- Secure, because the internal SQL call is parameterized.
- Secure if the query is parameterized, insecure otherwise.
- Same as #2 but not as portable.
- Insecure?
My question is about #4, Query by Example, because i've found it is also vulnerable. Example:
Account a = new Account(); //POJO class
a.setId("1' OR '1'='1");
//s is a org.hibernate.Session instance
Criteria crit = s.createCriteria(Account.class);
crit.add(Example.create(a));
List results = crit.list(); //table dump!
That snippet selects the whole accounts table. Is there any way to prevent injection? How?
NOTE: I'm using Hibernate 3.6.5 final, the testing database is HSQLDB.
UPDATE: Seems like a bug to me too, and indeed may be not related to the injected SQL. Tried setting the id with a nonexistent value and also returns all the rows. Tried the injection with '5'='5' instead of '1'='1' and the 5 is not propagated to the SQL call. It keeps using (1=1) as where clause.
UPDATE 2: Solved. See the answer below.
回答1:
Hibernate QBE ignores the id (mapped to PK) fields. Seems that this is done because an id filter would return only a row, and this can be achieved with a get() or a load(). I wonder what if I want to use a like condition on the id???
Related posts on hibernate official forum:
https://forum.hibernate.org/viewtopic.php?t=927063
https://forum.hibernate.org/viewtopic.php?t=938036
回答2:
You can sanitize your input E.g. in your code you should make sure you set a Long value to the ID field.
来源:https://stackoverflow.com/questions/6746486/how-to-secure-hibernate-qbe-query