Spring Data Jpa Sql Injection




  1. Java Persistence API (JPA), is an ORM solution that is a part of the Java EE framework. It helps manage relational data in applications that use Java SE and Java EE. It is a common misconception that ORM solutions like JPA (Java Persistence API) are SQL Injection proof.
  2. It uses Spring Data JPA to access the database, but this is only one of many possible choices (for example, you could use plain Spring JDBC). What You Will Build You will create a MySQL database, build a Spring application, and connect it to the newly created database.

Medium

Vendor

Spring by Pivotal

Name Email Dev Id Roles Organization; Oliver Drotbohm: odrotbohm at pivotal.io: odrotbohm: Project lead: Pivotal Software, Inc. Mark Paluch: mpaluch at pivotal.io. In simple words, SQL Injection means injecting/inserting SQL code in a query via user-inputted data. It can occur in any applications using relational databases like Oracle, MySQL, PostgreSQL and SQL Server. To perform SQL Injection, a malicious user first tries to find a place in the application where he can embed SQL code along with data.

  • Spring Data JPA 1.10.2, 1.9.4
  • Other unsupported versions are also affected

Jpa Sql Query

Description

Sort instances handed into user defined Spring Data repository query methods using manually declared JPQL queries are handed to the persistence provider as is and allow attackers to inject arbitrary JPQL into ORDER BY clauses which they might use to draw conclusions about non-exposed fields based on the query result's element order changing depending on the injected JPQL.

Spring Data Jpa Specification Sql Injection

Injection

This especially comes into play if the Sort instances are created from untrustable sources, e.g. web request parameters.

Spring Jpa Print Sql

Spring

Spring Data Jpa Sql Injection

Spring

Users of affected versions should apply the following mitigation:

  • Users are advised to upgrade to Spring Data JPA in version 1.10.4 (Hopper SR4) or 1.9.6 (Gosling SR6). These versions contain sanitizing of the Sort instances handed to the data access layer and only allow referring to domain object fields and aliases used in the JPQL backing the query method.
  • Should users still need to hand complex sort expressions to the data access layer, they can use the newly introduced JpaSort.unsafe(…) to reinstantiate the old behavior.
Credit

Spring Data Jpa Native Sql

The vulnerability was reported responsibly by Niklas Särökaari from Silverskin Information Security and Joona Immonen, Arto Santala, Antti Virtanen, Michael Holopainen and Antti Ahola from Solita.

Spring Data Jpa Sql

History

2016-September-30: Initial vulnerability report published