如何保护Hibernate QBE查询 [英] How to secure Hibernate QBE query
问题描述
- 使用对象
- 使用HQL
- 使用特定于数据库的SQL
- 使用标准(QBE)
好吧,关于他们注射的强度有多强,我认为这些是(纠正我,如果我错了):
- 安全,因为内部SQL调用是参数化的。
- 如果查询是参数化的, 2,但不是便携式。
- 不安全?
我的问题是关于#4,Query例如,因为我发现它也很脆弱。例子:
账户a =新账户(); // POJO类
a.setId(1或1='1);
// s是一个org.hibernate.Session实例
Criteria crit = s.createCriteria(Account.class);
crit.add(Example.create(a));
列表结果= crit.list(); //表格转储!
该片段选择整个科目表。有什么办法可以预防注射吗?如何?
注意:我使用Hibernate 3.6.5 final,测试数据库是HSQLDB。
更新:看起来像我也是一个错误,实际上可能与注入的SQL无关。试图用一个不存在的值设置id并返回所有的行。尝试注射'5'='5'而不是'1'='1',并且5不传播给SQL调用。它继续使用(1 = 1)作为where子句。
更新2:已解决。请参阅下面的答案。
Hibernate QBE忽略id(映射到PK)字段。看起来这样做是因为一个id过滤器只会返回一行,这可以通过get()或load()来实现。我不知道如果我想使用类似条件的ID ???
在hibernate官方论坛上的相关帖子:
https://forum.hibernate.org/viewtopic.php?t=927063
https: //forum.hibernate.org/viewtopic.php?t=938036
By the moment, I know four kinds of doing transactions with hibernate:
- Using objects
- Using HQL
- Using DB-specific SQL
- Using criteria (QBE)
Well, regarding how strong are they against injections, I think these are (correct me if I'm wrong):
- Secure, because the internal SQL call is parameterized.
- Secure if the query is parameterized, insecure otherwise.
- Same as #2 but not as portable.
- Insecure?
My question is about #4, Query by Example, because i've found it is also vulnerable. Example:
Account a = new Account(); //POJO class
a.setId("1' OR '1'='1");
//s is a org.hibernate.Session instance
Criteria crit = s.createCriteria(Account.class);
crit.add(Example.create(a));
List results = crit.list(); //table dump!
That snippet selects the whole accounts table. Is there any way to prevent injection? How?
NOTE: I'm using Hibernate 3.6.5 final, the testing database is HSQLDB.
UPDATE: Seems like a bug to me too, and indeed may be not related to the injected SQL. Tried setting the id with a nonexistent value and also returns all the rows. Tried the injection with '5'='5' instead of '1'='1' and the 5 is not propagated to the SQL call. It keeps using (1=1) as where clause.
UPDATE 2: Solved. See the answer below.
Hibernate QBE ignores the id (mapped to PK) fields. Seems that this is done because an id filter would return only a row, and this can be achieved with a get() or a load(). I wonder what if I want to use a like condition on the id???
Related posts on hibernate official forum:
https://forum.hibernate.org/viewtopic.php?t=927063
https://forum.hibernate.org/viewtopic.php?t=938036
这篇关于如何保护Hibernate QBE查询的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!