000029476 - IMG Workflow fails to import due to "A potential SQL injection threat (sql keyword) has been detected"

Document created by RSA Customer Support Employee on Jun 14, 2016
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000029476
Applies ToRSA Product Set: Identity Management and Governance
RSA Product/Service Type: Enterprise Software
RSA Version/Condition: 6.9
 
IssueWhen importing a workflow, everything completes as expected however the workflow is not visible. The following error is visible in the log:
01/16/2015 10:35:54.242 INFO (http-0.0.0.0-8443-4) [com.aveksa.server.workflow.WorkflowServiceProvider] Importing workflow archive multPartReq50190.tmp....
01/16/2015 10:35:54.306 INFO (http-0.0.0.0-8443-4) [STDOUT] 2015-01-16 10:35:54,306 [http-0.0.0.0-8443-4] ERROR com.workpoint.server.pojo.GenericServerBean - A potential SQL injection threat (sql keyword) has been detected at position 16 of the Filter parameter and so the statement will not be executed. If this is a legitimate request please restructure this input to eliminate the potential threat. Consider using parameterized queries and bind arrays. The data in question is: "NAME = 'Create accounts groups'".
01/16/2015 10:35:54.337 ERROR (http-0.0.0.0-8443-4) [com.aveksa.server.workflow.WorkflowServiceProvider] method=start subTask=Error importing the file /tmp/multPartReq50190.tmp
com.workpoint.server.ejb.WorkPointEJBException: An SQL Exception has occurred. Please see the server logs for details.
at com.workpoint.server.pojo.GenericServerBean.createException(Unknown Source)
at com.workpoint.server.pojo.GenericServerBean.createException(Unknown Source)
at com.workpoint.server.pojo.ProcessPvtBean.queryList(Unknown Source)
at sun.reflect.GeneratedMethodAccessor137.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:622)

The segment below is likely different.
The data in question is: "NAME = 'Create accounts groups'"

 
CauseThe workflow engine is rejecting the import as it is interpreting several string values in the metadata as malicious SQL injections. For example, in the referenced stack there is the line:
01/16/2015 10:35:54.306 INFO (http-0.0.0.0-8443-4) [STDOUT] 2015-01-16 10:35:54,306 [http-0.0.0.0-8443-4] ERROR com.workpoint.server.pojo.GenericServerBean - A potential SQL injection threat (sql keyword) has been detected at position 16 of the Filter parameter and so the statement will not be executed. If this is a legitimate request please restructure this input to eliminate the potential threat. Consider using parameterized queries and bind arrays. The data in question is: "NAME = 'Create accounts groups'".

In this line the "NAME = 'Create accounts groups'" segment is referencing the name of the imported workflow. The name contains the work Create and several single quotes. Workpoints SQL parser picks this up as possible malicious SQL injection and rejects the import as a safety measure.
ResolutionAvoid using any SQL keywords or terms in object names.
Examples to avoid:
  • Select
  • Drop
  • Create
  • Execute
Should you encounter this error, rename the object referenced in the error stack to not include a SQL keyword, and export/import once again.

Attachments

    Outcomes