New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

API - Validate columns parameter against fields in table #7717

Merged
merged 4 commits into from Nov 14, 2017

Conversation

Projects
None yet
4 participants
@richardlawley
Contributor

richardlawley commented Nov 13, 2017

API functions get_all_ports and get_port_graphs had an SQL injection vulnerability as they take a list of columns to include and do not validate this. This PR adds that validation in.

Example URL: /api/v0/devices/1/ports?columns=VERSION()--

DO NOT DELETE THIS TEXT

Please note

Please read this information carefully. You can run ./scripts/pre-commit.php to check your code before submitting.

Testers

If you would like to test this pull request then please run: ./scripts/github-apply <pr_id>, i.e ./scripts/github-apply 5926

@laf

This comment has been minimized.

Show comment
Hide comment
@laf

laf Nov 13, 2017

Member

Thanks for this PR. As per my comment on discord, we actually store all table info in misc/db_schema.yaml.

$db_schema = Yaml::parse(file_get_contents($schema_file));

you can then iterate through that rather than running a DB query.

Member

laf commented Nov 13, 2017

Thanks for this PR. As per my comment on discord, we actually store all table info in misc/db_schema.yaml.

$db_schema = Yaml::parse(file_get_contents($schema_file));

you can then iterate through that rather than running a DB query.

@richardlawley

This comment has been minimized.

Show comment
Hide comment
@richardlawley

richardlawley Nov 13, 2017

Contributor

I did look at that, but it looked a much more heavyweight option than doing a quick query to the DB to get the list for that table only. The file is 100K+ of text to be parsed and then iterated over, rather than a single SQL query which is likely held in the query cache after the first execution anyway.

Contributor

richardlawley commented Nov 13, 2017

I did look at that, but it looked a much more heavyweight option than doing a quick query to the DB to get the list for that table only. The file is 100K+ of text to be parsed and then iterated over, rather than a single SQL query which is likely held in the query cache after the first execution anyway.

@laf

This comment has been minimized.

Show comment
Hide comment
@laf

laf Nov 13, 2017

Member

It's a yaml file so you just load it into an array. It should be simpler than the DB query.

Member

laf commented Nov 13, 2017

It's a yaml file so you just load it into an array. It should be simpler than the DB query.

@richardlawley

This comment has been minimized.

Show comment
Hide comment
@richardlawley

richardlawley Nov 13, 2017

Contributor

Ok. I think the DB method was more efficient, but I've changed it to load from the yaml.

Contributor

richardlawley commented Nov 13, 2017

Ok. I think the DB method was more efficient, but I've changed it to load from the yaml.

@murrant

This comment has been minimized.

Show comment
Hide comment
@murrant

murrant Nov 14, 2017

Member

Looks good, just a few code style suggestions.

Member

murrant commented Nov 14, 2017

Looks good, just a few code style suggestions.

@richardlawley

This comment has been minimized.

Show comment
Hide comment
@richardlawley

richardlawley Nov 14, 2017

Contributor

Fair points, wasn't aware of those functions (not primarily a PHP developer).

Contributor

richardlawley commented Nov 14, 2017

Fair points, wasn't aware of those functions (not primarily a PHP developer).

@scrutinizer-notifier

This comment has been minimized.

Show comment
Hide comment
@scrutinizer-notifier

scrutinizer-notifier Nov 14, 2017

The inspection completed: 11 new issues, 1 updated code elements

scrutinizer-notifier commented Nov 14, 2017

The inspection completed: 11 new issues, 1 updated code elements

@murrant murrant merged commit 00fc5bf into librenms:master Nov 14, 2017

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
license/cla Contributor License Agreement is signed.
Details
@lock

This comment has been minimized.

Show comment
Hide comment
@lock

lock bot May 16, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed.

lock bot commented May 16, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed.

@lock lock bot locked as resolved and limited conversation to collaborators May 16, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.