Description: An attacker could inject malicious SQL code through user-provided input. When this input is used in MyBatis mappers with dynamic SQL (using ${} or string concatenation) without proper parameterization, the attacker's SQL code is executed directly against the database. This allows attackers to bypass security controls and perform unauthorized actions such as reading, modifying, or deleting data, and potentially gaining further access to the system.
Impact:
- Data breach and loss of confidentiality.
- Data manipulation and integrity compromise.
- Data deletion and loss of availability.
- Potential for complete system compromise in severe cases, including remote code execution in certain database environments.
Affected MyBatis 3 Component:
- Mapper XML files or Mapper Interfaces using annotations for dynamic SQL.
- SQL parsing and execution engine within MyBatis.
Risk Severity: Critical
Mitigation Strategies:
- Primary Mitigation: Always use parameterized queries (
#{}) for user-provided input in MyBatis mappers. - Strictly avoid using
${}for user input. Reserve${}only for truly dynamic elements that are not user-controlled and are carefully validated. - Implement robust input validation and sanitization on the application side before passing data to MyBatis as a defense-in-depth measure.
- Utilize static code analysis tools to automatically detect potential SQL injection vulnerabilities in mapper files.
- Conduct thorough security code reviews, specifically focusing on MyBatis mapper implementations and dynamic SQL usage.
- Deploy a Web Application Firewall (WAF) to detect and block common SQL injection attack patterns.
Description: Database connection credentials (username, password) might be directly embedded within MyBatis configuration files (e.g., mybatis-config.xml). If an attacker gains unauthorized access to these configuration files through various means (e.g., source code repository access, server compromise, misconfigured deployments, or insider threats), they can extract these credentials. This grants them direct, unauthorized access to the database, bypassing application-level security controls.
Impact:
- Unauthorized and direct database access.
- Data breach and loss of confidentiality of all data within the database.
- Data manipulation and integrity compromise, potentially leading to data corruption or malicious modifications.
- Data deletion and complete data loss.
- Potential for lateral movement and further system compromise if database access can be leveraged to access other systems or resources.
Affected MyBatis 3 Component:
- Configuration loading and parsing mechanism within MyBatis.
- Data source configuration sections in
mybatis-config.xmlor Spring configuration files used by MyBatis.
Risk Severity: High
Mitigation Strategies:
- Never hardcode database credentials directly in configuration files. This is a fundamental security best practice.
- Utilize environment variables or secure configuration management systems (e.g., HashiCorp Vault, Spring Cloud Config) to manage database credentials. Retrieve credentials at runtime from these secure and externalized sources.
- Encrypt configuration files if they must be stored in a less secure location, although this is a less preferred approach compared to externalized configuration.
- Implement strict access control and version control for configuration files to prevent unauthorized access, modification, and exposure.
- Regularly rotate database credentials to limit the window of opportunity if credentials are compromised.