New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Strategy #3965
Comments
Escaping output
Validation of inputs
Query security
Database security
CSRF
|
@jekkos I looked into the vulnerability a little and here is what Github Copilot came back with. It appears we are using QueryBuilder in most places, but we should search the code for places where we have sorting in the query but we aren't using QueryBuilder. I had also added filters into the getGet() methods to filter the inputs and this should add to the protection provided by QueryBuilder. It wouldn't hurt to also add some validation as well, but I'd be curious to see if the original attack vector was closed properly. Where is the original vulnerability report? |
I retrieved all the bug reports we had on this project here : https://huntr.com/users/jekkos/dashboard |
This was a concrete example https://huntr.com/bounties/eccf7762-efb4-4db6-a1de-1030331f34d7 |
OK if someone else doesn't get to it then I'll try it on Monday when I'm working on this project again. |
@jekkos it doesn't give me access to your dashboard. Are you able to either email it to me or send the report and example to the devroom in glitter? I'm not sure if that site allows sharing of a dashboard with multiple maintainers but that could be an option as well. |
@jekkos I think I'm just too much of a sucker for a good vulnerability hunt. I couldn't wait until Monday. Unfortunately here is the SQL being generated:
So as you can see the ORDER BY clause is vulnerable to injection even in CI 4.5.1 using $builder->orderBy(). This particular injection is only returning '1', but it's proof of concept that the field is vulnerable. The solution I think is to filter and/or validate the inputs
Maybe do this or just silently filter out anything that is not a valid input. I think it would involve creating a field in each model we do sorting and a getter function to return an array of sortable columns, since we may not want sorting on every column. thoughts? |
If we want to use CodeIgniter's validation engine, it wouldn't be too difficult to write a custom rule. You can even pass the acceptable sort columns to the rule. It's pretty clean that way. Then if it doesn't pass validation we can do what we want with it. |
@objecttothis are you sure that it is vulnerable? I just tried this url it does not seem to misbehave at first sight |
No you are right, it's still vulnerable. I tried this one The PR that I did was indeed about to validate the parameter passed in to the sort column. In this case it would check whether the param has a column name that is present in the db, if not then it would fall back to a default sorting order and ignore the input. |
Take a look at the query I posted. That's the result of $builder->getCompiledSelect(). It runs the injected select which just produces '1' on my database rather than enumerating tables, however it's enough for me to know that SQL isn't being escaped going into queryBuilder->orderBy(). So, if more malicious SQL is injected we need to be doing something. Maybe I'm not reading this right. Am I missing something? |
Take a look at the query I posted. That's the result of $builder->getCompiledSelect(). It runs the injected select which just produces '1' on my database rather than enumerating tables, however it's enough for me to know that SQL isn't being escaped going into queryBuilder->orderBy(). So, if more malicious SQL is injected we need to be doing something. Maybe I'm not reading this right. Am I missing something?
|
then you could also try to run a |
Good ole' |
During the conversion to CI4 we need to make sure that our code security strategy is rock solid. This will lay the groundwork for 3rd-party integrations so that we can have a foundational set of code standards for security.
Escaping outputs:
Validation of Inputs:
Query Security:
Database Security:
Now on to what I am less certain about:
What's wrong? What's missing?
@jekkos , et. al. thoughts?
The text was updated successfully, but these errors were encountered: