Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL injection vulnerability in field filter #439

Closed
wuhan005 opened this issue Jan 22, 2022 · 7 comments · Fixed by #442
Closed

SQL injection vulnerability in field filter #439

wuhan005 opened this issue Jan 22, 2022 · 7 comments · Fixed by #442
Assignees
Labels
bug Something isn't working

Comments

@wuhan005
Copy link

The query API provides the field and value parameters to support query by field.

It inserts the user's input into the raw SQL expression which can lead to a SQL injection vulnerability.

session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))

And the /api/get-organizations is a public route that everyone can visit.

Proof of concept:

https://door.casbin.com/api/get-organizations?p=1&pageSize=10&value=e99nb&sortField=&sortOrder=&field=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1))%20%20and%20name
@casbin-bot
Copy link
Contributor

@seriouszyx @tangyang9464

@casbin-bot casbin-bot added the question Further information is requested label Jan 22, 2022
@hsluoyz
Copy link
Contributor

hsluoyz commented Jan 22, 2022

@wuhan005 thanks for reporting! Do you have any suggestions for resolving it?

@hsluoyz hsluoyz added bug Something isn't working and removed question Further information is requested labels Jan 22, 2022
@laeo
Copy link

laeo commented Jan 22, 2022

Strict match given field is exactly one in the table, then using prepared statement to avoid SQL injection. (谷歌翻译的,将就着看吧

@hsluoyz
Copy link
Contributor

hsluoyz commented Jan 22, 2022

@seriouszyx can you fix this issue for all occurrences?

@seriouszyx
Copy link
Contributor

@hsluoyz I'll work on it.

@wuhan005
Copy link
Author

@wuhan005 thanks for reporting! Do you have any suggestions for resolving it?

In my opinion, the input field should be filtered by an allowlist, and make sure we have set the Beego's run mode to runmode=prod in production to avoid leaking debug information.

@wuhan005
Copy link
Author

CVE-2022-24124 assigned.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants