Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: fix the SQL injection vulnerability in field filter #442

Merged
merged 1 commit into from Jan 26, 2022

Conversation

seriouszyx
Copy link
Contributor

@seriouszyx seriouszyx commented Jan 23, 2022

Signed-off-by: Yixiang Zhao seriouszyx@foxmail.com

Fix: #439

Solutions:

  1. Use prepared statement
  2. Implement the black list to filter the field

For the request as below:

http://localhost:8000/api/get-organizations?p=1&pageSize=10&value=e99nb&sortField=&sortOrder=&field=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1))%20%20and%20name

Before:

image

After:

image

@casbin-bot
Copy link
Contributor

@tangyang9464 please review

@seriouszyx
Copy link
Contributor Author

@wuhan005 Please review.

@wuhan005
Copy link

It seems that the blacklist can be bypassed.

Boolean-based blind SQL injection can be used to get the value of the built-in function, the attacker can use functions like substring to make a brute-force attack and get each character of the string.

PoC:

(substring(user(),1,5) = 'hqcas') <> name
  • Correct:
    image
  • Wrong:
    image

I think we should use a whitelist instead of the blacklist.

Maybe we can use reflect.TypeOf() to get a struct fields white list easily, here is an example: https://go.dev/play/p/84zUGphgvXR

@seriouszyx
Copy link
Contributor Author

@wuhan005 Thanks for your advice. I'll fix it.

@seriouszyx
Copy link
Contributor Author

@wuhan005 Please review the newest commit using whitelists.

Copy link

@wuhan005 wuhan005 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

object/application.go Outdated Show resolved Hide resolved
object/cert.go Outdated Show resolved Hide resolved
object/check.go Outdated Show resolved Hide resolved
object/check.go Outdated Show resolved Hide resolved
object/check.go Show resolved Hide resolved
Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com>
@seriouszyx
Copy link
Contributor Author

@wuhan005 Discussed with @hsluoyz, we think the previous implementation was a bit complicated. The field only consists of upper and lower case letters and numbers in Casdoor, so we can filter easily. Could you please review the latest commit to check the SQL injection vulnerability?

@wuhan005
Copy link

@wuhan005 Discussed with @hsluoyz, we think the previous implementation was a bit complicated. The field only consists of upper and lower case letters and numbers in Casdoor, so we can filter easily. Could you please review the latest commit to check the SQL injection vulnerability?

There is no SQL injection vulnerability, nicely done.

@hsluoyz hsluoyz merged commit 5ec0c7a into casdoor:master Jan 26, 2022
5 checks passed
@casbin-bot
Copy link
Contributor

🎉 This PR is included in version 1.13.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

SQL injection vulnerability in field filter
4 participants