Uploaded image for project: 'mod-courses'
  1. mod-courses
  2. MODCR-66

CQL/SQL injection courseListingId

    XMLWordPrintable

    Details

    • Template:
    • Development Team:
      None

      Description

      CourseAPI.java has this code with CQL injection:

      String.format("courseListingId = %s", listingId)
      
      String.format("DELETE FROM %s_%s.%s WHERE jsonb->>'courseListingId' = '%s'",
                tenantId, "mod_courses", COURSES_TABLE, listingId);
      

      The listingId variable is used without validation and without masking for CQL or SQL characters resulting in CQL and SQL injection.

      Solution:
      Use

      StringUtil.cqlEncode(listingId)
      

      to wrap correctly wrap and encode the linstingId.

      For delete use RMB's PgUtil.delete to avoid duplicate code and to avoid any CQL and SQL injection.

      Note that

      courseListingId =
      

      is a full text search and is a wrong operator. Instead

      courseListingId ==
      

      should be used to make use of the b-tree index that RMB has automatically created for this foreign key field. This should be fixed when fixing the CQL/SQL injection issues.

        TestRail: Results

          Attachments

            Activity

              People

              Assignee:
              kurt Kurt Nordstrom
              Reporter:
              julianladisch Julian Ladisch
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  TestRail: Runs

                    TestRail: Cases