Re: Potential Security Issue
Kevin Day 29 Jan 2020 17:10 EST
Hello Tech Council,
I original identified the problem described in https://issues.folio.org/browse/STRIPES-667 .
While there may be concerns about CQL itself and its processing, my concern has been primarily with the forms in Stripes and their lack of sanitization. This lack of sanitization opens up a front-door.
This is way too easy to do:
step 1) Adding a single double-quote in the form input.
step 2) Done; injection now possible.
The sanitization would be to, at the very least, escape double-quotes.
Additional sanitization rules might need to be applied depending on the specific use of that form input.
There are multiple modules that exhibit the same behavior of not escaping the form input.
This is cause for some concern.
I believe that, from a security perspective, there needs to be a standardized (and well documented) way to ensure that form input is safe to use.
Whether or not a specific case of CQL has any risks is moot until such time that form inputs themselves are properly sanitized.
Thank You,
Kevin Day