[reload4j] SQL injection problem in JDBCAppender

Ceki Gülcü ceki at qos.ch
Wed Jan 19 13:26:13 CET 2022



On 1/19/2022 1:15 PM, Vladimir Sitnikov wrote:
>>If JDBCAppender is removed thre would be a single exception thrown at
>>config time
> 
> Once again: there are valid cases when people override `flushBuffer` and
> implement secure database calls.
> In other words, they find "buffering" feature useful.

The buffering feature is not at cause. What is at cause is the
unprotected JDBC call which uses a simple Statement instead of a
PreparedStatement.

> If we drop the class altogether, the users would have to
> rewrite/recompile the code which is harder than just replacing log4j.jar
> with reload4j.jar.
> if we keep the class, we could still keep the "drop-in replacement"
> label which would be very good.

 I agree that 100% drop-in compatibility is better than covering 99%.
However, we have to be realistic about the means at our disposal.
> That is why I suggest we keep the class, and we heal SQL injection.

OK. I don't think fixing SQL injection can be done without heavy
surgery. It would be probably be easier and more sane to write a new
JDBCAppender from the ground up.

>>Then there is the case of MDC (%X), NCD (%x) and many other cases which
>>we did not anticipate
> 
> We can hard-code things like "we support PatternLayout only", then we
> know the full set of markers (e.g. everything with %).

But the problem is the use of PatternLayout. We would need to reinvent
JDBC PreparedStamement to overcome the vulnerability.

> Vladimir
> 

-- 
Ceki Gülcü

Sponsoring SLF4J/logback/reload4j at https://github.com/sponsors/qos-ch


More information about the reload4j mailing list