Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create and show in the API are not storing data the same way #611

Open
IAmAStealer opened this issue Jul 13, 2023 · 2 comments · May be fixed by #613
Open

Create and show in the API are not storing data the same way #611

IAmAStealer opened this issue Jul 13, 2023 · 2 comments · May be fixed by #613
Assignees
@elg
Labels
BUG

Comments

@IAmAStealer
Copy link
Contributor

IAmAStealer commented Jul 13, 2023
edited

Describe the bug

Via the api if you create a target with a character that can be url encoded. It won't be encoded within the POST request and so within the database.

def target_create():
    """Add a target in the database"""
    # Only POST data are handled
    if request.method != "POST":
        return utils.response("ERROR: POST method is required ", 405)

    # Simplification for the reading
    name = request.form["name"].replace(" ", "")

Via the API if you want to show that element the filter used for research is quoted :

    name = urllib.parse.quote(name)
    query = db.session.query(target.Target.name)\
        .filter_by(name=name).first()

Leading to a bug that any target with a url encoded character unfindable.

And it is the same for user/target and so on.

I understand that it is for security reason, but it should be urlencoded in POST and Decoded only when displaying for the user.

Tested on my side just the urllib.parse.quote to be sure it is this line posing the problem.
I have two version installed and only the old one before this change doesn't have problem.

For security reason everything should be quoted before stored in the database and unquoted for user display.

To Reproduce

Create a target with "@" in the name for example
try to show the same target.
it will display an error saying it is not found because @ will be transformed in %40 before being filter_by in SQLAlchemy.

Expected behavior

Expected to change every storage with urllib.parse.quote() before any databse action and every display to users with urllib.parse.unquote(). Those leading in a heavy change that may have side effects.
@IAmAStealer IAmAStealer added the New New issue who need to be evaluated label Jul 13, 2023
@IAmAStealer
Copy link
Contributor Author

IAmAStealer commented Jul 18, 2023
edited

At first sight, Database injection is not possible, protected by the python code around it via SQLAlchemy.
So except if you had a particular reason to add :

name = urllib.parse.quote(name)

When searching for target or other element, this line doesn't look very useful, except generating errors.
Please tell me what you think.

@IAmAStealer IAmAStealer linked a pull request Jul 18, 2023 that will close this issue
Open
@elg
Copy link
Contributor

elg commented Jul 22, 2023

Hey,

I'm not sure that removing the parse will not cause security issues. I have to check more deeply.

Maybe writing more encode/decode would do the trick... Need to check.

@elg elg added BUG and removed New New issue who need to be evaluated labels Jul 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@elg elg

Labels
BUG
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Proposal for fix issue 611 IAmAStealer/passhport
2 participants
@elg @IAmAStealer