Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SQL injection is possible #36

Closed
pixelbender opened this issue Dec 11, 2016 · 3 comments
Closed

SQL injection is possible #36

pixelbender opened this issue Dec 11, 2016 · 3 comments
Labels
bug security
Milestone
0.1

Comments

@pixelbender
Copy link

Using fmt.Sprintf from a user input data:
https://github.com/nuveo/prest/blob/master/adapters/postgres/postgres.go#L58
and then calling postgres.Query:
https://github.com/nuveo/prest/blob/master/controllers/databases.go#L25
is a very bad practice that allows to user make SQL injections.
@felipeweb
Copy link
Member

@pixelbender thanks for reporting. Do you want to send a pull request fixing the issue?

@felipeweb felipeweb added bug and removed enhancement labels Dec 11, 2016
@crgimenes
Copy link
Contributor

crgimenes commented Dec 11, 2016
edited

Hello guys, I'll take care of this problem.
Suggestions are welcome.

... Complementing ...
The idea is to change WhereByRequest to return two results, the first is a string with the where clause and the second a string array containing the values that will be processed via Prepare.

I will use the same solution in other parts of the code that are also vulnerable.

Other entries such as field names can also be attacked, in these cases I will simply check if it contains invalid characters and returns error if I find a semicolon, quotes, etc.

@avelino
Copy link
Member

avelino commented Dec 11, 2016

@pixelbender thanks for reporting this bug, we at @nuveo wasn't thinking that initially because it would use the pREST in private network (no public access), we will put priority on this bug.

@crgimenes crgimenes mentioned this issue Dec 14, 2016
Merged
@felipeweb felipeweb added this to the 0.1 milestone Dec 14, 2016
avelino pushed a commit that referenced this issue Jul 16, 2020
@kemelzaidan
Merge pull request #36 from prest/mock
95e6335 
Mockadapter
avelino pushed a commit that referenced this issue Aug 21, 2020
@luizvital
Added PREST_PG_DATABASE var and network param (#36)
6275fb0 
Database name is mandatory, and existing database may be running on the host machine.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug security
Projects
None yet
Milestone
0.1
Development

No branches or pull requests
4 participants
@avelino @pixelbender @crgimenes @felipeweb