Project

General

Profile

Actions

Bug #23724

closed

Unescape SQL in eventlog filter

Added by François ARMAND 7 months ago. Updated 3 months ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
No

Description

In eventlog filter, we don't correctly escape the input from user before doing the SQL query. That doesn't look like being exploitable (backend correclty fault), but db information about the faulty request are returned in the (console) error message. The DB structure is open source, but still, this case must be forbidden by construction, way before we reach that error.


Subtasks 1 (0 open1 closed)

Bug #23738: Error in upmerge (empty TestMigrateSystemTechnique7_0.scala)ReleasedVincent MEMBRÉActions
Actions #1

Updated by François ARMAND 7 months ago

  • Status changed from New to In progress
Actions #2

Updated by François ARMAND 7 months ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from François ARMAND to Vincent MEMBRÉ
  • Pull Request set to https://github.com/Normation/rudder/pull/5166
Actions #3

Updated by Anonymous 7 months ago

  • Status changed from Pending technical review to Pending release
Actions #4

Updated by François ARMAND 7 months ago

  • Subtask #23738 added
Actions #5

Updated by Clark ANDRIANASOLO 7 months ago

  • Fix check changed from To do to Checked
Actions #6

Updated by Vincent MEMBRÉ 6 months ago

This bug has been fixed in Rudder 7.3.10 and 8.0.4 which were released today.

Actions #7

Updated by Alexis Mousset 5 months ago

  • Private changed from Yes to No
Actions #8

Updated by Vincent MEMBRÉ 3 months ago

  • Status changed from Pending release to Released
Actions

Also available in: Atom PDF