midsuit
/
core-jgi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

IDEMPIERE-4495 github code scanning alerts (#305) 

* IDEMPIERE-4495 github code scanning alerts

Failure to use secure cookies

* Query built without neutralizing special characters
This commit is contained in:
Carlos Ruiz 2020-10-17 08:11:12 +02:00 committed by GitHub
parent c0867c01ee
commit 9075b6d84b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
org.adempiere.base/src/org/compiere/util/WebUtil.java
View File

@ -450,7 +450,7 @@ public final class WebUtil
{ {
Cookie cookie = new Cookie (WebEnv.COOKIE_INFO, propertiesEncode(cookieProperties)); Cookie cookie = new Cookie (WebEnv.COOKIE_INFO, propertiesEncode(cookieProperties));
cookie.setComment("(c) iDempiere, Inc - Jorg Janke"); cookie.setComment("(c) iDempiere, Inc - Jorg Janke");
cookie.setSecure(false); cookie.setSecure(true);
cookie.setPath("/"); cookie.setPath("/");
if (cookieProperties.size() == 0) if (cookieProperties.size() == 0)
cookie.setMaxAge(0); // delete cookie cookie.setMaxAge(0); // delete cookie

6
org.compiere.db.oracle.provider/src/org/compiere/db/DB_Oracle.java
View File

@ -992,7 +992,6 @@ public class DB_Oracle implements AdempiereDatabase
Text1 NVARCHAR2(2000) NULL, Text1 NVARCHAR2(2000) NULL,
Text2 VARCHAR2(2000) NULL Text2 VARCHAR2(2000) NULL
); );
**/
try try
{ {
String myString1 = "123456789 12345678"; String myString1 = "123456789 12345678";
@ -1007,13 +1006,13 @@ public class DB_Oracle implements AdempiereDatabase
System.out.println(Util.size(myString.toString())); System.out.println(Util.size(myString.toString()));
// //
Connection conn2 = db.getCachedConnection(cc, true, Connection.TRANSACTION_READ_COMMITTED); Connection conn2 = db.getCachedConnection(cc, true, Connection.TRANSACTION_READ_COMMITTED);
/** **/ //
PreparedStatement pstmt = conn2.prepareStatement PreparedStatement pstmt = conn2.prepareStatement
("INSERT INTO X_Test(Text1, Text2) values(?,?)"); ("INSERT INTO X_Test(Text1, Text2) values(?,?)");
pstmt.setString(1, myString.toString()); // NVARCHAR2 column pstmt.setString(1, myString.toString()); // NVARCHAR2 column
pstmt.setString(2, myString.toString()); // VARCHAR2 column pstmt.setString(2, myString.toString()); // VARCHAR2 column
System.out.println(pstmt.executeUpdate()); System.out.println(pstmt.executeUpdate());
/** **/ //
Statement stmt = conn2.createStatement(); Statement stmt = conn2.createStatement();
System.out.println(stmt.executeUpdate System.out.println(stmt.executeUpdate
("INSERT INTO X_Test(Text1, Text2) values('" + myString + "','" + myString + "')")); ("INSERT INTO X_Test(Text1, Text2) values('" + myString + "','" + myString + "')"));
@ -1024,6 +1023,7 @@ public class DB_Oracle implements AdempiereDatabase
} }
db.cleanup(); db.cleanup();
System.out.println("--------------------------------------------------"); System.out.println("--------------------------------------------------");
**/
System.exit(0); System.exit(0);