Bug 994880

Summary: Activity Server allows to run any JPQL query statement over REST API
Product: [JBoss] JBoss Fuse Service Works 6 Reporter: Jiri Pechanec <jpechane>
Component: RT GovernanceAssignee: Gary Brown <gbrown>
Status: CLOSED CURRENTRELEASE QA Contact: Jiri Sedlacek <jsedlace>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 6.0.0 GACC: atangrin, oskutka, soa-p-jira
Target Milestone: ER1   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-06 15:27:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jiri Pechanec 2013-08-08 07:57:38 UTC 
http://localhost:8080/overlord-rtgov/activity/query allow to execute virtually any JPQL query over Activity Server database.

This might pose a security risk in the future so I propose a review by security team
Comment 1 Gary Brown 2013-08-08 08:09:25 UTC 
Given that the operation is 'query' I am happy to restrict it to SELECT statements.
Comment 3 Jiri Pechanec 2013-09-16 09:55:47 UTC 
Verified in ER2
Comment 7 JBoss JIRA Server 2014-07-02 09:19:32 UTC 
Gary Brown <gary> updated the status of jira RTGOV-244 to Closed