Uploaded image for project: 'OASIS Open Data Protocol (OData) TC'
  1. OASIS Open Data Protocol (OData) TC
  2. ODATA-1110

Provide guidance for sql-injection type attacks

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: New
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: V4.0_WD01
    • Fix Version/s: CN01
    • Component/s: Securing OData
    • Labels:
      None
    • Environment:

      [Proposed]

    • Proposal:
      Hide

      Add a cautionary note that, when taking input from a user, an application must make sure it is the expected type; for example, make sure there are no unescaped '&'.

      Show
      Add a cautionary note that, when taking input from a user, an application must make sure it is the expected type; for example, make sure there are no unescaped '&'.

      Description

      If the application has the expression:

      Customers?$filter=id eq @id

      and the user supplies the value for @id as "1&$expand=Orders"

      Then they have expanded the data that the application was intending.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              mikep Michael Pizzo (Inactive)
            • Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: