Pass params into query for sanitizing #53
Conversation
|
@skamerintel, please review |
|
@jwintel how user can provide something to sql request? e.g. params.ServiceId? |
@dkorlovs That's a good question actually. I tested this a bit and from what I've seen so far the arguments passed to the backend in the payload are serviceName, endTime, startTime, and a boolean or two:
But the times get passed through various date methods which would break if you stuck sql in them, and the serviceID is never one of the arguments--that name to ID translation must happen somewhere else within the backend, before the clickhouse interface. What concerns me are the hostname and container name and deployment name parameters. I don't have an example that I can test from unfortunately, but there is a filter where the user can pick these. They are supplied by the backend, but presumably if the user sets this filter it would include them in a backend call because the clickhouse code does use these as query parameters. So I think there is still a potential vulnerability. |
Yes, it appears this breaks the backend. Working on another solution. |
|
Found the documentation for the Go SQL interface, the '?' looks acceptable: https://pkg.go.dev/database/sql#DB.Query But there are internal server errors being returned. Further debugging is needed to determine why. |
Description
To fix the issue, we need to replace the unsafe query construction with a parameterized query using placeholders. This ensures that user-controlled data is safely embedded into the query without risking SQL injection. Specifically:
Replace the fmt.Sprintf-based query construction with a query string that uses placeholders (?) for parameters.
Pass the user-controlled values as arguments to the Query method, which will safely escape and embed them into the query.
Related Issue
See code scanning issues numbers 4-17
Motivation and Context
To ensure that we sanitize input from user
How Has This Been Tested?