-
Notifications
You must be signed in to change notification settings - Fork 933
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ObjectToSQLString implementations are problematic #3516
Comments
From my viewpoint, this method should be obsoleted and no more used. Building string fragments of literal values is a bad practice. Parameters should be used instead. I can find three usages:
|
Using literal values in SQL does have some value. E.g. filtered indexes rely on the filtered columns not being supplied as parameters. And filtered indexes are really useful, e.g in scenarios where discriminators are being used. It makes it easy to create indexes tailor made for the sub classes in a class hierarchy. We use that functionality, and I'm certain others do as well. We could probably "re-enable" such things with query rewriting if the literals were removed, but it's something to take into account. Making them into parameters is likely to cause performance degradation for some users. |
At least with discriminators, the injection risk is very slim, their values being not dynamic but hard-coded in the mappings. Since NHibernate does not actually use those Still, we should not let there security vulnerabilities there. If we cannot simply obsolete these methods and cease using them, they would have to be fixed. But I am not sure the dialects currently allow for robust literal SQL fragment generation. It may even be bound to the server or connection locales, like mdy vs dmy troubles on strings representing dates with SQL Server. (Which can be dodged by using an ISO format, but will we have this kind of solution with every vendor?) |
Would someone want to write this up? https://github.com/nhibernate/nhibernate-core/security/advisories/new |
I now see it is used in HQL too, for |
It is hard to evaluate the impact of the flaw, since the vulnerable methods take an object as a value and do not, in most case, check it is of the expected type. So, with The question is then, is it possible to get On Hibernate side, these |
SQLiteDialect: FormatException due to string conversion of DateTime fields seems to be related to this issue which demonstrates what happens when you carelessly convert to/from a string without using the appropriate locale for the conversion. |
No it is not related to |
The advisory was drafted a few weeks ago but I have not seen reactions to it. https://github.com/nhibernate/nhibernate-core/security/advisories |
The security concerns raised here have now been addressed. Bugs remain. |
While working with DateOnly and TimeOnly support I realized that the ObjectToSQLString method of ILiteralType is quite problematic.
AbstractStringType:
"'" + (string)value + "'"
AbstractCharType:
'\'' + value.ToString() + '\''
AbstractDateTimeType:
"'" + (DateTime) value + "'"
DateTimeOffsetType:
"'" + ((DateTimeOffset) value) + "'"
DateType:
"\'" + ((DateTime)value).ToShortDateString() + "\'"
DecimalType:
value.ToString()
And there are more.
Since the method has access to the dialect, maybe more formatting should be moved there.
The text was updated successfully, but these errors were encountered: