Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

存在SQL注入漏洞 #18

Closed
zhouzhui opened this issue May 20, 2016 · 2 comments
Closed

存在SQL注入漏洞 #18

zhouzhui opened this issue May 20, 2016 · 2 comments

Comments

@zhouzhui
Copy link

dashboard/rrd/model/endpoint.py 中拼装查询条件时,使用了简单的字符串拼接,存在SQL注入漏洞。虽然监控系统可能主要是内部人员使用,但有时手误或其他情况可能导致严重安全问题,希望能修复一下。另外,估计 portal 等项目也存在这样的安全问题。对 Python 不熟悉,没办法提交 pull request,抱歉

        sql = '''select id, endpoint, ts from endpoint where ts > %s '''
        for q in qs:
            sql += ''' and endpoint like %s'''
        sql += ''' limit %s,%s'''
@zhouzhui
Copy link
Author

噢,顺便问下,dashboard 能否提供 “列出所有 Endpoint" 的操作?目前做法是利用SQL注入在 Endpoint中输入 % 来达成的,如果修复了 SQL 注入漏洞的话可能就得有其他方法了。

@ninjadq
Copy link

ninjadq commented May 26, 2016

https://github.com/open-falcon/dashboard/blob/master/rrd/view/api.py#L11
这个api应该是你需要的

@laiwei laiwei closed this as completed Apr 23, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zhouzhui @laiwei @ninjadq