Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Avoid potential SQL injection when updating relations with params #1608

Merged
merged 9 commits into from Jun 6, 2019

Conversation

fquffio
Copy link
Member

@fquffio fquffio commented Jun 3, 2019

This PR fixes a (potentially serious) vulnerability. When saving a relation with parameters, since the encoded JSON was not being properly escaped, it was possible to inject custom SQL by simply adding an apostrophe (') to one relation parameter.

For instance, when linking a Document and an Image together, it would have been possible to give a maliciously-crafted "label" to expose arbitrary data from any table.

This PR fixes this vulnerability by ensuring data is explicitly sanitized before it is used to build queries.

Note: #1462 would have been a safer alternative… if it worked! 😄 It turned out to have bad effects since some relations were wiped out and not being updated altogether.

Copy link
Member

@batopa batopa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

😱 I think we should take a look at ObjectRelation model too.

@fquffio fquffio requested a review from batopa June 3, 2019 13:42
bedita-app/models/object_relation.php Outdated Show resolved Hide resolved
@batopa batopa merged commit 0ddcd46 into bedita:3-corylus Jun 6, 2019
@fquffio fquffio deleted the fix/v3/sanitize-relation-params branch June 7, 2019 10:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants