Skip to content
This repository has been archived by the owner on Feb 14, 2024. It is now read-only.

Second order sql injection fixes #597

Merged
merged 14 commits into from
Jul 10, 2023
Merged

Second order sql injection fixes #597

merged 14 commits into from
Jul 10, 2023

Conversation

edujosemena
Copy link
Contributor

@edujosemena edujosemena commented Jun 30, 2023
edited

πŸ—£ Description

Sanitize outputs from all fetchall functions to prevent 2nd order sql injection attacks

πŸ’­ Motivation and context

Patch Potential Vulnerabilities

-->

βœ… Pre-approval checklist

  • This PR has an informative and human-readable title.
  • Changes are limited to a single goal - eschew scope creep!
  • All future TODOs are captured in issues, which are referenced
    in code comments.
  • All relevant type-of-change labels have been added.
  • I have read the CONTRIBUTING document.
  • These code changes follow cisagov code standards.
  • All relevant repo and/or project documentation has been updated
    to reflect the changes in this PR.
  • Tests have been added and/or modified to cover the changes in this PR.
  • All new and existing tests pass.

edujosemena and others added 5 commits June 29, 2023 11:24
@edujosemena
sanatized 2nd order sql
00b99c6
@edujosemena
Update error 10-15 2nd order sql injection
57f69f8
@arng4108
Fixed SQL injection issues 16-25
024f882 
Fixed sql injection issue tied to the fetchone()[0] in the get_data_source_uid() function in db_query_source.py. Sanitized the data_source_uid uuid string that is returned by that fetchone()
@edujosemena
Fixes 2nd degree on pages.py for error 9 and 6
f876c1c
@edujosemena
Merge branch 'EM-sql-injection-fix' of https://github.com/cisagov/pe-…
d60c1d0 
…reports into EM-sql-injection-fix
@edujosemena edujosemena linked an issue Jun 30, 2023 that may be closed by this pull request
2nd order sql injection fix #595
Closed
2 tasks
@edujosemena edujosemena changed the title Em sql injection fix sql injection fix Jun 30, 2023
@coveralls
Copy link

coveralls commented Jun 30, 2023
edited

Coverage Status

coverage: 26.431%. first build when pulling 4afb3d5 on EM-sql-injection-fix into 1ac5df8 on develop.

@edujosemena edujosemena changed the title sql injection fix Second order sql injection fixes Jun 30, 2023
@edujosemena edujosemena added the High Priority Issue is key to completion of Sprint label Jul 5, 2023
@edujosemena edujosemena self-assigned this Jul 5, 2023
@edujosemena edujosemena marked this pull request as ready for review July 5, 2023 15:16
aloftus23
aloftus23 approved these changes Jul 5, 2023
View reviewed changes
Copy link
Contributor

@aloftus23 aloftus23 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me.

@edujosemena
Copy link
Contributor Author

@dav3r This is ready for review.

jsf9k
jsf9k approved these changes Jul 7, 2023
View reviewed changes
src/pe_reports/data/db_query.py Outdated Show resolved Hide resolved
jasonodoom
jasonodoom reviewed Jul 7, 2023
View reviewed changes
src/pe_reports/data/db_query.py Outdated Show resolved Hide resolved
src/pe_reports/data/db_query.py Outdated Show resolved Hide resolved
jsf9k
jsf9k reviewed Jul 7, 2023
View reviewed changes
src/pe_reports/pages.py Outdated Show resolved Hide resolved
@jasonodoom jasonodoom self-requested a review July 7, 2023 15:01
@cduhn17 cduhn17 merged commit 839e4f8 into develop Jul 10, 2023
44 checks passed
@cduhn17 cduhn17 deleted the EM-sql-injection-fix branch July 10, 2023 18:23
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@jsf9k jsf9k jsf9k approved these changes

@jasonodoom jasonodoom jasonodoom approved these changes

@aloftus23 aloftus23 aloftus23 approved these changes

@cduhn17 cduhn17 Awaiting requested review from cduhn17 cduhn17 is a code owner

@dav3r dav3r Awaiting requested review from dav3r dav3r is a code owner

@DJensen94 DJensen94 Awaiting requested review from DJensen94 DJensen94 is a code owner

@felddy felddy Awaiting requested review from felddy felddy is a code owner

@mcdonnnj mcdonnnj Awaiting requested review from mcdonnnj mcdonnnj is a code owner

@stewartl97 stewartl97 Awaiting requested review from stewartl97 stewartl97 is a code owner

Assignees

@edujosemena edujosemena

Labels
High Priority Issue is key to completion of Sprint
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

2nd order sql injection fix
7 participants
@edujosemena @coveralls @jsf9k @jasonodoom @aloftus23 @cduhn17 @arng4108