Bug #23724: Unescape SQL in eventlog filter - Rudder - Issue Tracker

Actions

Bug #23724

closed

Unescape SQL in eventlog filter

Added by François ARMAND 6 months ago. Updated about 1 month ago.

Status:

Released

Priority:

N/A

Assignee:

Vincent MEMBRÉ

Category:

Security

Target version:

Pull Request:

https://github.com/Normation/rudder/p...

Severity:

UX impact:

User visibility:

Effort required:

Priority:

0

Name check:

To do

Fix check:

Checked

Regression:

No

Description

In eventlog filter, we don't correctly escape the input from user before doing the SQL query. That doesn't look like being exploitable (backend correclty fault), but db information about the faulty request are returned in the (console) error message. The DB structure is open source, but still, this case must be forbidden by construction, way before we reach that error.

Subtasks 1 (0 open — 1 closed)

Actions

#1

Updated by François ARMAND 6 months ago

Status changed from New to In progress

Actions

#2

Updated by François ARMAND 6 months ago

Status changed from In progress to Pending technical review
Assignee changed from François ARMAND to Vincent MEMBRÉ
Pull Request set to https://github.com/Normation/rudder/pull/5166

PR https://github.com/Normation/rudder/pull/5166

Actions

#3

Updated by Anonymous 6 months ago

Status changed from Pending technical review to Pending release

Applied in changeset rudder|99ec4fe27b2bd2dfbdf6d094598a9b82726198b6.

Actions

#4

Updated by François ARMAND 6 months ago

Subtask #23738 added

Actions

#5

Updated by Clark ANDRIANASOLO 5 months ago

Fix check changed from To do to Checked

Actions

#6

Updated by Vincent MEMBRÉ 5 months ago

This bug has been fixed in Rudder 7.3.10 and 8.0.4 which were released today.

Actions

#7

Updated by Alexis Mousset 4 months ago

Private changed from Yes to No

Actions

#8

Updated by Vincent MEMBRÉ about 1 month ago

Status changed from Pending release to Released

Actions

Also available in: Atom PDF