Skip to content

Fix more SQL injections #10280

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Feb 18, 2024
Merged

Conversation

gyohuangxin
Copy link
Member

@gyohuangxin gyohuangxin commented Feb 13, 2024

Notes for Reviewers

This PR fixes SQL injection in /api/v2/events and /api/system/meshync/resources/kinds.
Similar vulnerabilities has been fixed in #10207 and #9372 using SanitizeOrderInput function, which you can uses as a reference.

Signed commits

  • Yes, I signed my commits.

Copy link

github-actions bot commented Feb 13, 2024

@github-actions github-actions bot added the component/mesheryctl CLI for Meshery label Feb 13, 2024
@leecalcote leecalcote added the security Issues or pull requests that address a security vulnerability label Feb 13, 2024
@leecalcote leecalcote added this to the v0.8.0 milestone Feb 13, 2024
@leecalcote
Copy link
Member

This is so helpful, @gyohuangxin 💯

@@ -547,7 +547,10 @@ func ClearLine() {
clearCmd = exec.Command("cmd", "/c", "cls") // for Windows
}
clearCmd.Stdout = os.Stdout
clearCmd.Run()
err := clearCmd.Run()
if err != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gyohuangxin @MUzairS15 I wonder if we should be using a MeshKit Error here. https://docs.meshery.io/project/contributing/contributing-error

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's your perspective, @MUzairS15?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, the usage of meshkit error is appropriate

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@leecalcote @MUzairS15 It's a good idea, can we create another issue to track this? So that we can fix the security issues as quickly as possible. What do you think?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, sure.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here we are - #10343

Signed-off-by: Xin Huang <xin1.huang@intel.com>
Signed-off-by: Xin Huang <xin1.huang@intel.com>
Signed-off-by: Xin Huang <xin1.huang@intel.com>
Signed-off-by: Xin Huang <xin1.huang@intel.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
component/mesheryctl CLI for Meshery component/server security Issues or pull requests that address a security vulnerability
Projects
Status: Done
Development

Successfully merging this pull request may close these issues.

3 participants