Bug #23724: Unescape SQL in eventlog filter - Rudder - Issue Tracker

Actions

Copy link

Bug #23724

closed

Unescape SQL in eventlog filter

Added by François ARMAND 6 months ago. Updated about 2 months ago.

Status:

Released

Priority:

N/A

Assignee:

Vincent MEMBRÉ

Category:

Security

Target version:

7.3.10

Pull Request:

https://github.com/Normation/rudder/p...

Severity:

UX impact:

User visibility:

Effort required:

Priority:

Name check:

To do

Fix check:

Checked

Regression:

Description

In eventlog filter, we don't correctly escape the input from user before doing the SQL query. That doesn't look like being exploitable (backend correclty fault), but db information about the faulty request are returned in the (console) error message. The DB structure is open source, but still, this case must be forbidden by construction, way before we reach that error.

Subtasks 1 (0 open — 1 closed)

History
Notes
Property changes
Associated revisions

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Rudder

Custom queries

Bug #23724

Unescape SQL in eventlog filter

Updated by François ARMAND 6 months ago

Updated by François ARMAND 6 months ago

Updated by Anonymous 6 months ago

Updated by François ARMAND 6 months ago

Updated by Clark ANDRIANASOLO 6 months ago

Updated by Vincent MEMBRÉ 5 months ago

Updated by Alexis Mousset 4 months ago

Updated by Vincent MEMBRÉ about 2 months ago