Camunda engine jar contain some mybatis xmls files for database table is giving fortify scanning vulnerabilities like Sql injection. Because in some of the xml, has contain ${somestring} for string concatenation . HP Fortify is taking this as an SQL injection issue. And giving suggestion to use #{} instead. In almost all xmls, (Attachment.xml) the table name is prefix with ${prefix} , whixh is also showing as sql injection possibility. I am using 7.6.0 camunda-engine.jar . Is there any way i can fix it.
Thanks in advance.
Hi @Jude_Antony,
yes, camunda uses string substitution in queries a lot as well as parameter injection mechanism. You can create a ticket in our JIRA and provide a pull request with alternative implementation if you would like to.
Realistically I think that there is not much to do about it. Replacement of those statements looks to me like a very resource intensive task. And since prefix, order by and limit statements are provided through same xml files and not taken from user this should not be a real threat in any case.
Cheers,
Askar.
Hi Askar,
We are also facing blind sql injection issue in our Codenomicon scan. Any plan for the fix of this issue.
Thanks
Senthil