Bug #23724: Unescape SQL in eventlog filter - Rudder - Issue Tracker

Actions

Copy link

Bug #23724

closed

Unescape SQL in eventlog filter

Added by François ARMAND about 1 year ago. Updated 8 months ago.

Status:

Released

Priority:

N/A

Assignee:

Vincent MEMBRÉ

Category:

Security

Target version:

7.3.10

Pull Request:

https://github.com/Normation/rudder/p...

Severity:

UX impact:

User visibility:

Effort required:

Priority:

Name check:

To do

Fix check:

Checked

Regression:

Description

In eventlog filter, we don't correctly escape the input from user before doing the SQL query. That doesn't look like being exploitable (backend correclty fault), but db information about the faulty request are returned in the (console) error message. The DB structure is open source, but still, this case must be forbidden by construction, way before we reach that error.

Subtasks 1 (0 open — 1 closed)

History
Notes
Property changes
Associated revisions

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Rudder

Custom queries

Bug #23724

Unescape SQL in eventlog filter

Updated by François ARMAND about 1 year ago

Updated by François ARMAND about 1 year ago

Updated by Anonymous about 1 year ago

Updated by François ARMAND about 1 year ago

Updated by Clark ANDRIANASOLO 12 months ago

Updated by Vincent MEMBRÉ 11 months ago

Updated by Alexis Mousset 11 months ago

Updated by Vincent MEMBRÉ 8 months ago