Re: Potential Security Issue

Show/hide message thread

Potential Security Issue Mike Gorrell (29 Jan 2020 12:35 EST)
(missing)
Re: Potential Security Issue Kevin Day (29 Jan 2020 17:10 EST)
Re: Potential Security Issue Zak Burke (29 Jan 2020 19:56 EST)
Re: Potential Security Issue Jakub Skoczen (30 Jan 2020 06:22 EST)
Re: Potential Security Issue Mike Gorrell (30 Jan 2020 07:38 EST)
Re: Potential Security Issue Tod Olson (29 Jan 2020 15:18 EST)
Re: Potential Security Issue Marc Johnson (29 Jan 2020 15:41 EST)
Re: Potential Security Issue Vincent Bareau (29 Jan 2020 18:30 EST)

Re: Potential Security Issue Zak Burke 29 Jan 2020 19:56 EST

This is not a security issue; there is no injection vector.

An SQL injection attack happens when the _backend_ fails to properly sanitize its input. The situation described here asserts the _frontend_ is not properly sanitizing its input. There is not a security issue on the frontend because it has no special relationship with the backend. Everything sent from the frontend to an endpoint can be sent to an endpoint directly via cURL or Postman or what have you.

It may be worth considering whether we want to allow API endpoints to accept arbitrary CQL queries, but that’s not the issue described in this ticket.

It would be polite of the frontend to sanitize its input so folks could get results when they search for titles like

    Robert"; drop table students; —

instead of a syntax error about unmatched quotes. Is that a bug? Sure, but a syntax error is not a security issue.

Zak

> On Jan 29, 2020, at 5:10 PM, Kevin Day <kday@library.tamu.edu> wrote:
>
> Hello Tech Council,
>
> I original identified the problem described in https://issues.folio.org/browse/STRIPES-667 .
>
> While there may be concerns about CQL itself and its processing, my concern has been primarily with the forms in Stripes and their lack of sanitization. This lack of sanitization opens up a front-door.
>
> This is way too easy to do:
> step 1) Adding a single double-quote in the form input.
> step 2) Done; injection now possible.
>
> The sanitization would be to, at the very least, escape double-quotes.
> Additional sanitization rules might need to be applied depending on the specific use of that form input.
>
> There are multiple modules that exhibit the same behavior of not escaping the form input.
> This is cause for some concern.
>
> I believe that, from a security perspective, there needs to be a standardized (and well documented) way to ensure that form input is safe to use.
>
> Whether or not a specific case of CQL has any risks is moot until such time that form inputs themselves are properly sanitized.
>
> Thank You,
> Kevin Day
> To unsubscribe from this list please go to http://www.simplelists.com/confirm.php?u=KSs8tJVkzlTKhpRRanM6N1Eagj3DCxHw