Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL Injection in "sort" parameter on /users/ page #1189

Open
tsparksh opened this issue Jan 7, 2020 · 6 comments · May be fixed by #1227
Open

SQL Injection in "sort" parameter on /users/ page #1189

tsparksh opened this issue Jan 7, 2020 · 6 comments · May be fixed by #1227
Assignees

Comments

@tsparksh
Copy link
Member

tsparksh commented Jan 7, 2020

What happened just before the problem occurred

SQL injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements that control a web application's database server. An attacker can use SQL injection it to bypass a web application's authentication and authorization mechanisms and retrieve the contents of an entire database. SQLi can also be used to add, modify and delete records in a database, affecting data integrity. Under the right circumstances, SQLi can also be used by an attacker to execute OS commands, which may then be used to escalate an attack even further.

Due to the lack of filtering of the sort parameter, SQL injection is possible (near ORDER BY)

Demonstration:
http://mapknitter.org/users/?sort=asdasd =>
SELECT users.*, count(users.id) as maps_count FROM 'users' INNER JOIN 'maps' ON 'maps'.'user_id' = 'users'.'id' GROUP BY maps.user_id ORDER BY asdasd desc LIMIT 24 OFFSET 0

Relevant URLs

http://mapknitter.org/users/

How to fix

Use parameterized queries when dealing with SQL queries that contains user input. Parameterized queries allows the database to understand which parts of the SQL query should be considered as user input, therefore solving SQL injection.

@welcome
Copy link

welcome bot commented Jan 7, 2020

Thanks for opening your first issue here! Please follow the issue template to help us help you 👍🎉😄
If you have screenshots to share demonstrating the issue, that's really helpful! 📸 You can make a gif too!

@Uzay-G
Copy link
Member

Uzay-G commented Jan 7, 2020

I'm not sure security errors like this should be reported in open issues.

@tsparksh
Copy link
Member Author

tsparksh commented Jan 7, 2020

Hey, @Uzay-G. We already have some security reports opened (publiclab/plots2#3966, publiclab/plots2#744, publiclab/plots2#3549). So I don’t think this is a problem.

@jywarren, can you check this and publiclab/plots2#7133, please? How should I report such security issues?

@jywarren
Copy link
Member

jywarren commented Jan 7, 2020

I think we can look to the controllers where this is affected:

.order(sort_column + ' ' + sort_direction)

I think it should be:

.order("? ?", sort_column, sort_direction)

Then Rails will sanitize the params! Can we make this change now?

@StlMaris123 StlMaris123 self-assigned this Jan 9, 2020
@StlMaris123
Copy link

Is there anyone working on this? I would love to work on it

@tsparksh
Copy link
Member Author

tsparksh commented Jan 9, 2020

@StlMaris123, sure, go ahead!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
4 participants