Skip to content
Permalink
Browse files Browse the repository at this point in the history
request #15028: The update of the CI job targeted by a widget is vuln…
…erable to blind SQL injections

Change-Id: Ib02a01586740b990feb675a8728a006ea20f7777
  • Loading branch information
LeSuisse committed Jun 26, 2020
1 parent 7d8298b commit 91535ad
Showing 1 changed file with 37 additions and 19 deletions.
56 changes: 37 additions & 19 deletions plugins/hudson/include/HudsonJobWidget.class.php
Expand Up @@ -42,17 +42,29 @@ public function create(Codendi_Request $request)
$vId->required();
if ($request->valid($vId)) {
$job_id = $request->get($this->widget_id . '_job_id');
$sql = 'INSERT INTO plugin_hudson_widget (widget_name, owner_id, owner_type, job_id) VALUES ("' . $this->id . '", ' . $this->owner_id . ", '" . $this->owner_type . "', " . db_escape_int($job_id) . " )";
$res = db_query($sql);
$content_id = db_insertid($res);
$db = \Tuleap\DB\DBFactory::getMainTuleapDBConnection()->getDB();
$content_id = (int) $db->insertReturnId(
'plugin_hudson_widget',
[
'widget_name' => $this->id,
'owner_id' => $this->owner_id,
'owner_type' => $this->owner_type,
'job_id' => $job_id
]
);
}
return $content_id;
}

public function destroy($id)
{
$sql = 'DELETE FROM plugin_hudson_widget WHERE id = ' . $id . ' AND owner_id = ' . $this->owner_id . " AND owner_type = '" . $this->owner_type . "'";
db_query($sql);
$db = \Tuleap\DB\DBFactory::getMainTuleapDBConnection()->getDB();
$db->run(
'DELETE FROM plugin_hudson_widget WHERE id = ? AND owner_id = ? AND owner_type = ?',
$id,
$this->owner_id,
$this->owner_type,
);
}

public function getPreferences($widget_id)
Expand Down Expand Up @@ -120,8 +132,14 @@ public function updatePreferences(Codendi_Request $request)
$request->valid(new Valid_String('cancel'));
if (!$request->exist('cancel')) {
$job_id = $request->get($this->widget_id . '_job_id');
$sql = "UPDATE plugin_hudson_widget SET job_id=" . $job_id . " WHERE owner_id = " . $this->owner_id . " AND owner_type = '" . $this->owner_type . "' AND id = " . (int) $request->get('content_id');
$res = db_query($sql);
$db = \Tuleap\DB\DBFactory::getMainTuleapDBConnection()->getDB();
$db->run(
'UPDATE plugin_hudson_widget SET job_id=? WHERE owner_id = ? AND owner_type = ? AND id = ?',
$job_id,
$this->owner_id,
$this->owner_type,
$this->content_id,
);
}
return true;
}
Expand All @@ -133,19 +151,19 @@ abstract protected function initContent();
*/
protected function getJobIdFromWidgetConfiguration()
{
$sql = "SELECT *
FROM plugin_hudson_widget
WHERE widget_name = '" . db_es($this->widget_id) . "'
AND owner_id = " . db_ei($this->owner_id) . "
AND owner_type = '" . db_es($this->owner_type) . "'
AND id = " . db_ei($this->content_id);

$res = db_query($sql);
if ($res && db_numrows($res)) {
$data = db_fetch_array($res);
return $data['job_id'];
$db = \Tuleap\DB\DBFactory::getMainTuleapDBConnection()->getDB();
$job_id = $db->cell(
'SELECT job_id FROM plugin_hudson_widget WHERE widget_name = ? AND owner_id = ? AND owner_type = ? AND id = ?',
$this->widget_id,
$this->owner_id,
$this->owner_type,
$this->content_id,
);

if ($job_id === false) {
return null;
}

return null;
return $job_id;
}
}

0 comments on commit 91535ad

Please sign in to comment.