-
-
Notifications
You must be signed in to change notification settings - Fork 279
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SQL injection is possible #36
Comments
@pixelbender thanks for reporting. Do you want to send a pull request fixing the issue? |
Hello guys, I'll take care of this problem. ... Complementing ... I will use the same solution in other parts of the code that are also vulnerable. Other entries such as field names can also be attacked, in these cases I will simply check if it contains invalid characters and returns error if I find a semicolon, quotes, etc. |
@pixelbender thanks for reporting this bug, we at @nuveo wasn't thinking that initially because it would use the pREST in private network (no public access), we will put priority on this bug. |
Database name is mandatory, and existing database may be running on the host machine.
Using fmt.Sprintf from a user input data:
https://github.com/nuveo/prest/blob/master/adapters/postgres/postgres.go#L58
and then calling postgres.Query:
https://github.com/nuveo/prest/blob/master/controllers/databases.go#L25
is a very bad practice that allows to user make SQL injections.
The text was updated successfully, but these errors were encountered: