Red Hat Bugzilla – Bug 994880
Activity Server allows to run any JPQL query statement over REST API
Last modified: 2015-08-02 19:44:19 EDT
http://localhost:8080/overlord-rtgov/activity/query allow to execute virtually any JPQL query over Activity Server database. This might pose a security risk in the future so I propose a review by security team
Given that the operation is 'query' I am happy to restrict it to SELECT statements.
Verified in ER2
Gary Brown <gary@brownuk.com> updated the status of jira RTGOV-244 to Closed