Details

    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      According to installation instruction the Keycloak DB schema in MySQL should use utf8 instead of utf8mb4.
      https://www.keycloak.org/docs/latest/server_installation/#mysql-database

      This issue was already stressed, e.g in KEYCLOAK-3873 and KEYCLOAK-7996
      Please add official utf8mb4 support!

      The dark side of the coin:
      I mention again the page https://mathiasbynens.be/notes/mysql-utf8mb4 which helped me to setup a destructive user input with the usage of "PILE OF POO"

      I can not enter this emoji here in Jira?!! because of:

      We can't create this issue for you right now, it could be due to unsupported content you've entered into one or more of the issue fields.
      

      Initially I wanted to test the behaviour of our own application, but the registration in keycloak already fails.

      The simple setup: Keycloak offers a self registration and my MySQL schema is utf8.

      Assuming the user enters in registration page such data:
      Surename: Claudia-"PILE OF POO"Maria
      Familyname: Meyer

      As image

      This generates those ERROR Loglevel entries:

      2020-03-12 09:52:17,856 WARN  [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-3) SQL Error: 1366, SQLState: HY000
      2020-03-12 09:52:17,857 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-3) Incorrect string value: '\xF0\x9F\x92\xA9Ma...' for column 'FIRST_NAME' at row 1
      2020-03-12 09:52:17,864 ERROR [org.hibernate.internal.ExceptionMapperStandardImpl] (default task-3) HHH000346: Error during managed flush [org.hibernate.exception.GenericJDBCException: could not execute
      statement]
      2020-03-12 09:52:17,864 WARN  [com.arjuna.ats.arjuna] (default task-3) ARJUNA012125: TwoPhaseCoordinator.beforeCompletion - failed for SynchronizationImple< 0:ffff0a015d3d:-6e5ed879:5e69f7d9:b5, org.wild
      fly.transaction.client.AbstractTransaction$AssociatingSynchronization@36e1be3e >: javax.persistence.PersistenceException: org.hibernate.exception.GenericJDBCException: could not execute statement
              at org.hibernate@5.3.13.Final//org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:154)
      ......
      Caused by: org.hibernate.exception.GenericJDBCException: could not execute statement
      ......
      Caused by: java.sql.SQLException: Incorrect string value: '\xF0\x9F\x92\xA9Ma...' for column 'FIRST_NAME' at row 1
      ......
              ... 93 more
      
      2020-03-12 09:52:17,875 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-3) Uncaught server error: org.keycloak.models.ModelException: org.hibernate.exception.GenericJDBCException: could not execute statement
              at org.keycloak.keycloak-model-jpa@9.0.0//org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:61)
      ......
      Caused by: org.hibernate.exception.GenericJDBCException: could not execute statement
      ......
      Caused by: java.sql.SQLException: Incorrect string value: '\xF0\x9F\x92\xA9Ma...' for column 'FIRST_NAME' at row 1
      ......
              ... 93 more
      

      Keep spinning the wheel
      Usage of (SIEM) Security Information and Event Management:
      From the operator's point of view, such ERROR entries can cause unnecessary false positives with "red" marked events and someone needs to check the system what happens in detail, only because of a destructive user input and no real application error.

      Filtering out such cases is complex, because only ERROR entry with followup line SQLException: Incorrect string value: (.)* for column 'FIRST_NAME' at row 1" needs to be skipped.
      At the end the SIEM has a lot of accepted errors keywords and the day is comming where a real application error happens and nobody recognizes it because it's unreported.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  patrikschwieger Patrik Schwieger
                • Votes:
                  2 Vote for this issue
                  Watchers:
                  6 Start watching this issue

                  Dates

                  • Created:
                    Updated: