Skip to content

Avoid injection issues in the JDBC datasource#2654

Merged
jbonofre merged 1 commit into
apache:mainfrom
coheigea:coheigea/jdbc-injection
May 25, 2026
Merged

Avoid injection issues in the JDBC datasource#2654
jbonofre merged 1 commit into
apache:mainfrom
coheigea:coheigea/jdbc-injection

Conversation

@coheigea
Copy link
Copy Markdown
Contributor

@coheigea coheigea commented May 11, 2026

There is a minor security issue in the JDBC datasource - the datasource name parameter is concatenated directly into OSGi LDAP-syntax filter strings without escaping.

For example:

feature:install pax-jdbc-derby jdbc
jdbc:ds-create -dn derby -url "jdbc:derby:test;create=true" test
jdbc:ds-create -dn derby -url "jdbc:derby:test2;create=true" test2
jdbc:ds-list
Name  │ Service Id │ Product      │ Version               │ URL              │ Status
──────┼────────────┼──────────────┼───────────────────────┼──────────────────┼───────
test  │ 107        │ Apache Derby │ 10.14.2.0 - (1828579) │ jdbc:derby:test  │ OK
test2 │ 108        │ Apache Derby │ 10.14.2.0 - (1828579) │ jdbc:derby:test2 │ OK

Now jdbc:ds-info * returns information on "test". And jdbc:ds-delete * deletes all tables.

@jbonofre jbonofre self-requested a review May 11, 2026 14:52
@jbonofre jbonofre mentioned this pull request May 25, 2026
Merged
@jbonofre jbonofre merged commit c4f1621 into apache:main May 25, 2026
6 checks passed
@coheigea coheigea deleted the coheigea/jdbc-injection branch May 25, 2026 08:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jbonofre jbonofre jbonofre approved these changes

@fpapon fpapon fpapon approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@coheigea @jbonofre @fpapon