|
Potential Security Issue
Mike Gorrell
(29 Jan 2020 12:35 EST)
|
||
|
(missing)
|
||
|
Re: Potential Security Issue Kevin Day (29 Jan 2020 17:10 EST)
|
||
|
Re: Potential Security Issue
Zak Burke
(29 Jan 2020 19:56 EST)
|
||
|
Re: Potential Security Issue
Jakub Skoczen
(30 Jan 2020 06:22 EST)
|
||
|
Re: Potential Security Issue
Mike Gorrell
(30 Jan 2020 07:38 EST)
|
||
|
Re: Potential Security Issue
Tod Olson
(29 Jan 2020 15:18 EST)
|
||
|
Re: Potential Security Issue
Marc Johnson
(29 Jan 2020 15:41 EST)
|
||
|
Re: Potential Security Issue
Vincent Bareau
(29 Jan 2020 18:30 EST)
|
||
Re: Potential Security Issue Kevin Day 29 Jan 2020 17:10 EST
Show/hide attachmentsHello Tech Council, I original identified the problem described in https://issues.folio.org/browse/STRIPES-667 . While there may be concerns about CQL itself and its processing, my concern has been primarily with the forms in Stripes and their lack of sanitization. This lack of sanitization opens up a front-door. This is way too easy to do: step 1) Adding a single double-quote in the form input. step 2) Done; injection now possible. The sanitization would be to, at the very least, escape double-quotes. Additional sanitization rules might need to be applied depending on the specific use of that form input. There are multiple modules that exhibit the same behavior of not escaping the form input. This is cause for some concern. I believe that, from a security perspective, there needs to be a standardized (and well documented) way to ensure that form input is safe to use. Whether or not a specific case of CQL has any risks is moot until such time that form inputs themselves are properly sanitized. Thank You, Kevin Day