#where() directive always prefixes "WHERE"

Question

#where() directive always prefixes "WHERE"

mbassermann opened this issue 12 years ago · 7 comments

mbassermann commented 12 years ago

If we use the #where() directive, a "WHERE" is always prepended at the beginning, even though no condition met.

It's because of the "VelocityWhitespaceGobbling".

Example:

select * from foo

where()

end

output: select * from foo WHERE

mbassermann commented 12 years ago

Thanks!

Answer 1 · 2013-11-20T07:56:53.000Z

Using:
mybatis 3.2.3
mybatis-velocity 1.1
velocity 1.7

Answer 2 · 2013-11-20T08:49:11.000Z

Cause -> TrimDirective.render() line 78, no length/whitespace checking of body?

Answer 3 · 2013-11-20T13:02:15.000Z

Confirmed. I am fixing it.

On Wed, Nov 20, 2013 at 3:49 AM, mbassermann notifications@github.comwrote:

Cause -> TrimDirective.render() line 78, no length/whitespace checking of
body?

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/12#issuecomment-28871611
.

Frank D. Martínez M.

Answer 4 · 2014-01-31T14:41:41.000Z

I have a security concern around the change that was made to the Where directive in this issue.
Before this change if an unexpected empty argument was passed to the mapper method, the velocity template would generate an invalid SQL statement causing an Exception:
"SELECT * FROM Product WHERE"

After the change, an unexpected empty argument would generate a valid query such as "SELECT * FROM Product" which can cause the exposure of data that the user is not authorized to see. We will have to add security and parameter checks to each call to the mapper to protect against this from happening.

I would rather see the query fail and generate an exception for an unexpected parameter instead of exposing critical information to the user. This is a very serious concern with financial applications.

Answer 5 · 2014-01-31T18:44:55.000Z

Hi Zaher,

I understand your concerns, but the idea of the #where directive is
precisely to add the "WHERE" prefix if and only if the resulting inner
dynamic sql is not empty.

On Fri, Jan 31, 2014 at 9:41 AM, Zaher hammoud notifications@github.comwrote:

I have a security concern around the change that was made to the Where
directive in this issue.
Before this change if an unexpected empty argument was passed to the
mapper method, the velocity template would generate an invalid SQL
statement causing an Exception:
"SELECT * FROM Product WHERE"

After the change, an unexpected empty argument would generate a valid
query such as "SELECT * FROM Product" which can cause the exposure of data
that the user is not authorized to see. We will have to add security and
parameter checks to each call to the mapper to protect against this from
happening.

I would rather see the query fail and generate an exception for an
unexpected parameter instead of exposing critical information to the user.
This is a very serious concern with financial applications.

Reply to this email directly or view it on GitHubhttps://github.com//issues/12#issuecomment-33798914
.

Frank D. Martínez M.

Answer 6 · 2014-01-31T19:40:25.000Z

Thanks for the clarification Frank. I might have misinterpreted its original purpose. I still think it is too risky to use but at least it is a optional feature :)