Ability to Adhoc SQL using REF CURSOR based BIP Report not supported anymore - Page 3 — Oracle Analytics

Oracle Transactional Business Intelligence Idea Lab

Welcome to the Oracle Analytics Community: Please complete your User Profile and upload your Profile Picture

Ability to Adhoc SQL using REF CURSOR based BIP Report not supported anymore

783
Views
37
Comments
13

Comments

  • Eric Levinson-44477
    Eric Levinson-44477 Rank 1 - Community Starter

    After analyzing the SQL Connect tool data which calls the BIP  stub - I see that anything passed to it internally gets wrapped by:

    select * from (:sql);

    so I believe there's very minimal risk to SQL injection, although you never know internally how Oracle handles select * from (); constructs, so there still is a possibility.

    I have heard that Oracle is developing its own web service based connector for their own tools, possibly SQL Developer - so this is something they may have changed for their code.

     

  • Eric Levinson-44477
    Eric Levinson-44477 Rank 1 - Community Starter

    I would imagine it is global change - REF CURSOR is a data type in the database, and provides a way to access a cursor by reference, and use it in other code in your session, without having to redefine the cursor each time.
    We are expecting our dev2 instance to be patched to 20B on May 1 and we are heavy in Fusion SCM applications and will report back our findings.

     

  • Glen Ryen
    Glen Ryen Rank 4 - Community Specialist

    Hi Eric & David,

    I'm speculating there, which is why I was asking if anyone has seen and could post an official pronouncement from Oracle on this.  But my guess is that just because this one SQL Connect tool wraps the :sql bind variable doesn't preclude some type of injection - or that other tools (or regular BI data models) wouldn't be more at risk if REF CURSORs are left open.  And if the user account has update privileges, there could be the potential that a series of statements get passed in.

    Again, that's conjecture on my part but I'd assume the vulnerability's there first and try to prove otherwise.  I'm with you (and others) in that some form of SQL Developer-type direct access would be a welcome addition, I just don't find the current process of manual ad hoc data models that onerous.  If you're going to give people access to a REF CURSOR tool, why would you need sysadmin involvement for migrations as a workaround?  What's the concern with having these analysts/support team members create their queries in their own 'My Folders' area?  And better still, doing that in a recent clone that's part of your overall instance management strategy?

    Glen

  • Ravi Patil-74669
    Ravi Patil-74669 Rank 1 - Community Starter

    All -

    We were early adopters of 20B and discovered the issue during testing. there is no official announcement of the issue being deprecated. When we were pushing Dev team to offer workaround or continue the feature, we were told to log an Idea.

    We are working closes with Oracle Development team, it seems like they will continue this feature thru 20C. All customers receiving 20B upgrade this weekend will not see any issue.  Oracle will soon announce the issue being discontinued in 20C upgrade, stay tuned for that.

  • HitendraD
    HitendraD Rank 1 - Community Starter

    This will have a severe impact on running SQL's without new Data models.

    Webservice accepting SQL as a parameter should be launched to overcome this.

  • David Wright - More4apps
    David Wright - More4apps Rank 3 - Community Apprentice

    Hi Folks,

    It looks to be on the cards for de-support again.

    Deprecation is documented here:

    https://www.oracle.com/webfolder/technetwork/tutorials/tutorial/cloud/r13/wn/common/releases/20C/20C-common-wn.htm#F14321

    Creating specific predefined queries within the BI model is unfortunately not a workable alternative solution.

    Regards,

    David.

  • Sudhesh Nayak
    Sudhesh Nayak Rank 3 - Community Apprentice

    We are looking at the BIP web services and so far it looks feasible to have an application to accept the SQL, create a data model from the SQL. You can have a generic report that produces CSV output from the data model which you can kick off via web services as well. 

    Essentially, build a tool that takes your SQL, creates a dm on the fly, and executes and returns the result. As far as 20D is concerned, it is NOT dynamic SQL. But it is for your purposes!!

     

  • David Wright - More4apps
    David Wright - More4apps Rank 3 - Community Apprentice

    Hi Sudhesh,

    Thanks for your update, can you confirm if this requires BIP admin access to build on the fly?

    Regards,

    David

  • Sudhesh Nayak
    Sudhesh Nayak Rank 3 - Community Apprentice

    No need for admin. Integration Specialist should work. 

     

  • Sudhesh Nayak
    Sudhesh Nayak Rank 3 - Community Apprentice

    No need for admin. Integration Specialist should work.