-
-
Notifications
You must be signed in to change notification settings - Fork 308
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How can we prevent attackers to submitting live components URLs directly? #1674
Comments
is there a way to stop this or any rate limiter? |
@rajansharmax could you provide more details to security [at] symfony.com? |
So the attacker added the live component URL to the bot, and maybe they are trying to inject a SQL query. so my questions is: how can we prevent these kind of form submissions. We are getting a lot of error log messages. Is there any rate limiter for this, or do we need to add rate limiters on the server?? |
I'll try to answer, but keep in mind depending on your components, your needs, ..et some of those points may not be relatable to your project
On your app side, there is no risk of SQL injection if you're using DTO's or scalars .. For Doctrine entities if you use query builder or predefined repository functions neither (the string values will be escaped by Doctrine before beeing set.. and should probably not pass your entity validation constraints i guess). In the end, a live component URL is like any controller URL in symfony, and you can leverage all the usual tools provided by Symfony / your server to control. Concerning the error log messages: are they just "404" errors or is there something more suspicious here ? |
http://websitename/_components/SearchForm?props=
so attcker using live component url to pass malicious code how can we stop this
The text was updated successfully, but these errors were encountered: