New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SQL Injection in Reactive project #18269
Comments
|
Cc @jhipster/developers |
|
Didn't expect that. Is it the same for non reactive/hibernate? |
|
I think it's important to try and check |
|
On non-reactive, at least when I worked on it a few years ago, we were using Hibernate’s criteria API, which would prevent this. |
|
For non reactive i'll be extremely surprised if its the case since we don't do any direct SQL and everything goes via Spring Data and hibernate |
|
Yes me too. Maybe thats also the reason why we didn't check it for reactive part in detail. Spoiled by hibernate's power |
|
we should be using named parameters isn't it? seems like here its generating with value instead |
|
Probably, the Conditions.just taking a literal sql here allowing an arbitrary WHERE clause, but also being vulnerable for injection: Line 122 in 85aa8dd
and here: Line 128 in 85aa8dd
|
|
Probably came out of the following PR #13515 |
|
@atomfrede are you working on this? else I can try to find a fix? |
|
Wanted to start now. |
|
I have a CVE drafted for this ready to go once we have a fix in place. Let me know if you need any help |
|
At least I can reproduce it too pretty easy :( |
|
When mapping the criteria manually to a condition it is not vulnerable, but somehow this seems to me as not the intended way to use spring datas criteria. But using @mraible Maybe you have come across this? //Criteria.where("name").is("foobar';DROP TABLE example;--");
//-->toString -->'foobar';DROP TABLE example;--'
//name=foobar';DROP TABLE example;--
Comparison equal = Conditions.isEqual(
Column.create(criteria.getColumn(), Table.create("example")),
Conditions.just(criteria.getValue().toString())); |
|
I have created a reproducer here https://github.com/atomfrede/reactive-sql-jhipster-reproducer which has a potential hand coded fix. Try it via |
|
@atomfrede how important is the where clause mapping? can we remove the feature for the time being if it only affects searching in Get queries? so that we can publish a fix and then look for a proper solution? |
|
As far as I can tell the generated application does not need it by default I think. All crud operations should work without the custom criteria (need to check). So yes we might remove it for the time being. |
|
In that case, I vote to remove it and publish a patch and CVE. Then we can create a new issue to add the feature in a secure and scalable way (if it's important). @jdubois @pascalgrimaud @mraible @DanielFran @jhipster/developers WDYAT? |
|
Agree with this fix. We can see later if we can do better |
|
So basically we will ignore the |
|
yes, and maybe change signature in generated code, if possible, to not take the criteria and add a comment so that users don't end up adding the same manually |
|
Yes, I agree too with this fix. |
|
Thanks to everyone involved @appkr @OmarHawk we have decided to award each of you a 300$ bounty so please claim it via open collective. @atomfrede for you, we (me, Julien, Pascal) think you deserve more than 500$ so I'll send a mail in the public group to discuss that. |
|
@deepu105 Thanks, the claim was filed at https://opencollective.com/generator-jhipster/expenses/71638 |
|
@appkr it's approved. Next time please do report security issues to project maintainers privately first so we can disclose it responsibly after fixing them. |
|
@deepu105 My bad, sorry. Yes I will If I have any. |
Thanks :-). Filed it at https://opencollective.com/generator-jhipster/expenses/71657 |
|
@deepu105 it's missing to tag the release at GitHub https://github.com/jhipster/generator-jhipster/releases. |
|
I noticed there are two draft releases on the releases page. We should fix that and remove all the dependabot updates. As a developer, I like to quickly skim release notes, not scroll through automated patch updates from dependabot. |
|
I'll clean those up once I have power back. Hopefully tonight or tomorrow
morning
…On Thu, 7 Apr 2022, 8:05 pm Matt Raible, ***@***.***> wrote:
I noticed there are two draft releases on the releases page. We should fix
that and remove all the dependabot updates. As a developer, I like to
quickly skim release notes, not scroll through automated patch updates from
dependabot.
—
Reply to this email directly, view it on GitHub
<#18269 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAIOKF6B25K5DCIDBPXX7E3VD3XCFANCNFSM5SN3EROQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
@mshima @mraible I dont think the release page is used at all, since I see a lot of drafts. @pascalgrimaud do you know who set up the release drafter? there are too many drafts and the date is wrong as well |
|
@deepu105 : there was a bug 1 month ago in GitHub, that's why there are a lot of duplicated drafts. All these drafts need to be deleted manually, then release-drafter can work normally |
|
there are like pages and pages of them :P so that's gonna be some long task
Thanks & Regards,
Deepu
…On Thu, Apr 7, 2022 at 9:27 PM Pascal Grimaud ***@***.***> wrote:
@deepu105 <https://github.com/deepu105> : there was a bug 1 month ago in
GitHub, that's why there are a lot of duplicated drafts. All these drafts
need to be deleted manually, then release-drafter can work normally
—
Reply to this email directly, view it on GitHub
<#18269 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAIOKF75LCTZMLBBYLPVO6TVD4AX3ANCNFSM5SN3EROQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
I know, I spent a lot lot lot of time to delete it in jhipster-lite project, but didn't have motivation to do it for generator-jhipster... |
|
I created a ticket and assigned bounty lets see if someone is motivated
Thanks & Regards,
Deepu
…On Thu, Apr 7, 2022 at 9:30 PM Pascal Grimaud ***@***.***> wrote:
I know, I spent a lot lot lot of time to delete it in jhipster-lite
project, but didn't have motivation to do it for generator-jhipster...
—
Reply to this email directly, view it on GitHub
<#18269 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAIOKF6QEDFE2HXSBQ2KWCLVD4BANANCNFSM5SN3EROQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
I don't know whether this is the right place to ask this though...
In a reactive spring project with r2dbc, I found that SQL injection is actually possible. This may happen because of me, lacking knowledge on how to use r2dbc correctly. If it is case please let me know the correct usage.
Setup
JDL
Change I made
name, and bind the parameter to thefindAllBy(Pageable pageable, Criteria criteria)repository methodGET /api/examples?name=foobar';DROP TABLE example;--Result
SELECT e.id AS e_id, e.name AS e_name FROM example e WHERE name = 'foobar';DROP TABLE example;--'The text was updated successfully, but these errors were encountered: