Categories
- All Categories
- 15 Oracle Analytics Sharing Center
- 15 Oracle Analytics Lounge
- 208 Oracle Analytics News
- 41 Oracle Analytics Videos
- 15.7K Oracle Analytics Forums
- 6.1K Oracle Analytics Idea Labs
- Oracle Analytics User Groups
- 76 Oracle Analytics Trainings
- 14 Oracle Analytics Data Visualizations Challenge
- Find Partners
- For Partners
Ability to Adhoc SQL using REF CURSOR based BIP Report not supported anymore
Comments
-
After analyzing the SQL Connect tool data which calls the BIP stub - I see that anything passed to it internally gets wrapped by:
select * from (:sql);
so I believe there's very minimal risk to SQL injection, although you never know internally how Oracle handles select * from (); constructs, so there still is a possibility.
I have heard that Oracle is developing its own web service based connector for their own tools, possibly SQL Developer - so this is something they may have changed for their code.
0 -
I would imagine it is global change - REF CURSOR is a data type in the database, and provides a way to access a cursor by reference, and use it in other code in your session, without having to redefine the cursor each time.
We are expecting our dev2 instance to be patched to 20B on May 1 and we are heavy in Fusion SCM applications and will report back our findings.0 -
Hi Eric & David,
I'm speculating there, which is why I was asking if anyone has seen and could post an official pronouncement from Oracle on this. But my guess is that just because this one SQL Connect tool wraps the :sql bind variable doesn't preclude some type of injection - or that other tools (or regular BI data models) wouldn't be more at risk if REF CURSORs are left open. And if the user account has update privileges, there could be the potential that a series of statements get passed in.
Again, that's conjecture on my part but I'd assume the vulnerability's there first and try to prove otherwise. I'm with you (and others) in that some form of SQL Developer-type direct access would be a welcome addition, I just don't find the current process of manual ad hoc data models that onerous. If you're going to give people access to a REF CURSOR tool, why would you need sysadmin involvement for migrations as a workaround? What's the concern with having these analysts/support team members create their queries in their own 'My Folders' area? And better still, doing that in a recent clone that's part of your overall instance management strategy?
Glen
0 -
All -
We were early adopters of 20B and discovered the issue during testing. there is no official announcement of the issue being deprecated. When we were pushing Dev team to offer workaround or continue the feature, we were told to log an Idea.
We are working closes with Oracle Development team, it seems like they will continue this feature thru 20C. All customers receiving 20B upgrade this weekend will not see any issue. Oracle will soon announce the issue being discontinued in 20C upgrade, stay tuned for that.
0 -
This will have a severe impact on running SQL's without new Data models.
Webservice accepting SQL as a parameter should be launched to overcome this.
0 -
Hi Folks,
It looks to be on the cards for de-support again.
Deprecation is documented here:
Creating specific predefined queries within the BI model is unfortunately not a workable alternative solution.
Regards,
David.
0 -
We are looking at the BIP web services and so far it looks feasible to have an application to accept the SQL, create a data model from the SQL. You can have a generic report that produces CSV output from the data model which you can kick off via web services as well.
Essentially, build a tool that takes your SQL, creates a dm on the fly, and executes and returns the result. As far as 20D is concerned, it is NOT dynamic SQL. But it is for your purposes!!
0 -
Hi Sudhesh,
Thanks for your update, can you confirm if this requires BIP admin access to build on the fly?
Regards,
David
0 -
No need for admin. Integration Specialist should work.
0 -
No need for admin. Integration Specialist should work.
0
