Uploaded image for project: 'RAML Module Builder'
  1. RAML Module Builder
  2. RMB-803

Fix URL encoding in BuildCQL preventing CQL injection

    XMLWordPrintable

    Details

    • Template:
      Standard Bug Write-Up Format
    • Story Points:
      1
    • Development Team:
      Core: Platform

      Description

      Overview:

      BuildCQL.buildCQL() doesn't URL encode cqlStatementOperator and operatorBetweenArgs. This may result in CQL injection.

      Solution:

      URL encode the complete CQL query.

       

        TestRail: Results

          Attachments

            Issue Links

            relates to

            Bug - A problem which impairs or prevents the functions of the product. RMB-379 wrong Criteria value masking results in SQL Injection

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. RMB-396 mask ) ] } in regexp to prevent SQL injection

            • TBD - To be determined
            • Closed

            Task - A task that needs to be done. RMB-565 review if all CQL to SQL generation code is using masking

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Closed

            Task - A task that needs to be done. RMB-725 StringUtil.cqlEncode masking CQL characters preventing CQL injection

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Closed

              Activity

                People

                Assignee:
                julianladisch Julian Ladisch
                Reporter:
                julianladisch Julian Ladisch
                Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:

                    TestRail: Runs

                      TestRail: Cases