Uploaded image for project: 'mod-courses'
  1. mod-courses
  2. MODCR-66

CQL/SQL injection courseListingId

    XMLWordPrintable

Details

    • None

    Description

      CourseAPI.java has this code with CQL injection:

      String.format("courseListingId = %s", listingId)

      String.format("DELETE FROM %s_%s.%s WHERE jsonb->>'courseListingId' = '%s'",
          tenantId, "mod_courses", COURSES_TABLE, listingId);

      The listingId variable is used without validation and without masking for CQL or SQL characters resulting in CQL and SQL injection.

      Solution:
      Use

      StringUtil.cqlEncode(listingId)

      to wrap correctly wrap and encode the linstingId.

      For delete use RMB's PgUtil.delete to avoid duplicate code and to avoid any CQL and SQL injection.

      Note that

      courseListingId =

      is a full text search and is a wrong operator. Instead

      courseListingId ==

      should be used to make use of the b-tree index that RMB has automatically created for this foreign key field. This should be fixed when fixing the CQL/SQL injection issues.

      TestRail: Results

        Attachments

          Activity

            People

              kurt Kurt Nordstrom
              julianladisch Julian Ladisch
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                TestRail: Runs

                  TestRail: Cases