如何保护Hibernate QBE查询 [英] How to secure Hibernate QBE query

问题描述

1. 使用对象


2. 使用HQL


3. 使用特定于数据库的SQL


4. 使用标准（QBE）
   

好吧，关于他们注射的强度有多强，我认为这些是（纠正我，如果我错了）：

1. 安全，因为内部SQL调用是参数化的。


2. 如果查询是参数化的， 2，但不是便携式。


3. 不安全？

我的问题是关于＃4，Query例如，因为我发现它也很脆弱。例子：

 账户a =新账户（）; // POJO类
 a.setId（1或1='1）; 
 
 // s是一个org.hibernate.Session实例
 Criteria crit = s.createCriteria（Account.class）; 
 crit.add（Example.create（a））; 
列表结果= crit.list（）; //表格转储！ 
  

该片段选择整个科目表。有什么办法可以预防注射吗？如何？

注意：我使用Hibernate 3.6.5 final，测试数据库是HSQLDB。

更新：看起来像我也是一个错误，实际上可能与注入的SQL无关。试图用一个不存在的值设置id并返回所有的行。尝试注射'5'='5'而不是'1'='1'，并且5不传播给SQL调用。它继续使用（1 = 1）作为where子句。

更新2：已解决。请参阅下面的答案。

解决方案

Hibernate QBE忽略id（映射到PK）字段。看起来这样做是因为一个id过滤器只会返回一行，这可以通过get（）或load（）来实现。我不知道如果我想使用类似条件的ID ???

在hibernate官方论坛上的相关帖子：

https://forum.hibernate.org/viewtopic.php?t=927063

https： //forum.hibernate.org/viewtopic.php?t=938036

By the moment, I know four kinds of doing transactions with hibernate:

1. Using objects
2. Using HQL
3. Using DB-specific SQL
4. Using criteria (QBE)

Well, regarding how strong are they against injections, I think these are (correct me if I'm wrong):

1. Secure, because the internal SQL call is parameterized.
2. Secure if the query is parameterized, insecure otherwise.
3. Same as #2 but not as portable.
4. Insecure?

My question is about #4, Query by Example, because i've found it is also vulnerable. Example:

    Account a = new Account(); //POJO class       
    a.setId("1' OR '1'='1");

    //s is a org.hibernate.Session instance
    Criteria crit = s.createCriteria(Account.class);
    crit.add(Example.create(a));
    List results = crit.list();  //table dump!

That snippet selects the whole accounts table. Is there any way to prevent injection? How?

NOTE: I'm using Hibernate 3.6.5 final, the testing database is HSQLDB.

UPDATE: Seems like a bug to me too, and indeed may be not related to the injected SQL. Tried setting the id with a nonexistent value and also returns all the rows. Tried the injection with '5'='5' instead of '1'='1' and the 5 is not propagated to the SQL call. It keeps using (1=1) as where clause.

UPDATE 2: Solved. See the answer below.

解决方案

Hibernate QBE ignores the id (mapped to PK) fields. Seems that this is done because an id filter would return only a row, and this can be achieved with a get() or a load(). I wonder what if I want to use a like condition on the id???

Related posts on hibernate official forum:

https://forum.hibernate.org/viewtopic.php?t=927063

https://forum.hibernate.org/viewtopic.php?t=938036

这篇关于如何保护Hibernate QBE查询的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！