We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dashboard/rrd/model/endpoint.py 中拼装查询条件时,使用了简单的字符串拼接,存在SQL注入漏洞。虽然监控系统可能主要是内部人员使用,但有时手误或其他情况可能导致严重安全问题,希望能修复一下。另外,估计 portal 等项目也存在这样的安全问题。对 Python 不熟悉,没办法提交 pull request,抱歉
sql = '''select id, endpoint, ts from endpoint where ts > %s ''' for q in qs: sql += ''' and endpoint like %s''' sql += ''' limit %s,%s'''
The text was updated successfully, but these errors were encountered:
噢,顺便问下,dashboard 能否提供 “列出所有 Endpoint" 的操作?目前做法是利用SQL注入在 Endpoint中输入 % 来达成的,如果修复了 SQL 注入漏洞的话可能就得有其他方法了。
Sorry, something went wrong.
https://github.com/open-falcon/dashboard/blob/master/rrd/view/api.py#L11 这个api应该是你需要的
No branches or pull requests
dashboard/rrd/model/endpoint.py 中拼装查询条件时,使用了简单的字符串拼接,存在SQL注入漏洞。虽然监控系统可能主要是内部人员使用,但有时手误或其他情况可能导致严重安全问题,希望能修复一下。另外,估计 portal 等项目也存在这样的安全问题。对 Python 不熟悉,没办法提交 pull request,抱歉
The text was updated successfully, but these errors were encountered: