New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SQL Injection from API? #15337
Comments
|
I tried replicating he issue, and here's what I found:
If I have missed anything please post the steps to replicate it. |
|
So I haven't had a chance to post it up yet, but I have demonstrated a proof of concept SQL injection from frappe.get_list (which is what the API resource thing goes to). I think you are right, @wtfbrb , that you (in general) shouldn't get SQL programming errors from client input. I can imagine that you could design a secure system that would generate SQL errors but it would be an odd design; in general getting an SQL error suggests you are not properly handling input. I think the statement 'This rules out the possibility of a security flaw' is clearly untrue; if you can inject SQL then permissions are irrelevant since permissions are handled by the Python and not the SQL. Yes, you might need permissions on one Doctype to access that API, but once you have injected SQL it's all over... |
|
I have now reported the vulnerability to Frappe. |
|
Any update about this issue ? |
|
They did (eventually) respond. One of the issues I reported has been properly fixed. The other attack I came up with no longer works as it brings up an 'invalid SQL query' error, so I suspect they are still trying to do the 'sanitizing' approach (which is less than ideal) rather than building fully parametrized queries but hey-ho... |
|
@gbm001 You're more than welcome to come and fix it. |
Is he, though? Is anyone actually welcome to fix it? In the past, Erpnext has rejected parameterized SQL and enforced a policy of sanitized-and-concatenated-string queries only. |
|
@silverbacknet Can you point me to such PR? |
If you go here: /api/resource/Item?fields=["name","group"] on any erpnext install you get an SQL syntax error which has me worried of what else can be done with some escaping...field names should probably be enclosed in ` either which way if this is not a security issue :)
The text was updated successfully, but these errors were encountered: