Kbin/kbin-core
29
327
Fork
You've already forked kbin-core
78

Use SQL parameters to prevent SQL injections in SearchRepository.php #75

Merged
ernest merged 2 commits from GauthierPLM/kbin-core:fix/#67 into develop 2023年06月16日 10:23:28 +02:00
Contributor
Copy link

Fix #67

When using user' input in SQL queries, it's recommended to use parameters in prepared queries to avoid SQL Injections. The issue reported in ticket #67 is a typical SQL inject, in which it would have been super easy for an attacker to query kbin' DB.

SearchRepository.php is the only file I checked, so I don't know if this kind of issues also exists elsewhere, but it would be good to perform a review as kbin is growing and security will be a concern for many.

Fix #67 When using user' input in SQL queries, it's recommended [to use parameters in prepared queries](https://www.doctrine-project.org/projects/doctrine-dbal/en/current/reference/data-retrieval-and-manipulation.html#dynamic-parameters-and-prepared-statements) to avoid SQL Injections. The issue reported in ticket #67 is a typical SQL inject, in which it would have been super easy for an attacker to query kbin' DB. SearchRepository.php is the only file I checked, so I don't know if this kind of issues also exists elsewhere, but it would be good to perform a review as kbin is growing and security will be a concern for many.
Author
Contributor
Copy link

Since #47 is caused by the same requests that I changed earlier, I added a commit to fix it by filtering votes by choice = 1.

Since #47 is caused by the same requests that I changed earlier, I added a commit to fix it by filtering votes by choice = 1.
First-time contributor
Copy link

Oof, noticed this coincidentally while looking for #47. This has potential to be very bad. I did a very cursory skim. There's quite a few places that aren't using proper SQL parameterization. Most are fortunately unlikely to be at risk because they're IDs that are presumably ints, but should still be parameterized to be safe (and particularly so that you never have to consider if any particular variable is safe being concatenated to a query).

Anyway, I don't personally have the time to figure out how to test anything (side note: oof, is there no unit tests anywhere?), but searching for some potentially risky keywords, I found a few other places that are likely highest risk, such as (line numbers @ 0ac805386d66e):

  • src\Repository\EntryRepository.php:156 - $qb->andWhere("JSONB_CONTAINS(e.tags, '\"".$criteria->tag."\"') = true");
  • src\Repository\EntryRepository.php:333 (basically the same thing)
  • src\Repository\MagazineRepository.php:328 (basically the same thing)
  • src\Repository\PostRepository.php:135 (basically the same thing)
  • src\Repository\PostRepository.php:291 (basically the same thing)
  • src\Repository\TagRepository.php (basically the same thing)
  • src\Repository\EntryRepository.php:356 ['name' => "%{$name}%", 'title' => "%{$name}%", 'visibility' => VisibilityInterface::VISIBILITY_VISIBLE]

There's also frankly a ton of places that have user or magazine ID concatenated like what GauthierPLM had fixed in this one file. Though assuming those are ints as we'd expect, the risk there is lower. String fields are what I focused on as they are the highest risk for SQL injection. This was only a quick skim and not an exhaustive review. Also, given the type system of PHP (I'm verrrry rusty as I haven't touched PHP in about a decade), making assumptions about integer types may be a dangerous idea.

Oof, noticed this coincidentally while looking for #47. This has potential to be very bad. I did a very cursory skim. There's quite a few places that aren't using proper SQL parameterization. Most are fortunately unlikely to be at risk because they're IDs that are presumably ints, but should still be parameterized to be safe (and particularly so that you never have to consider if any particular variable is safe being concatenated to a query). Anyway, I don't personally have the time to figure out how to test anything (side note: oof, is there no unit tests anywhere?), but searching for some potentially risky keywords, I found a few other places that are likely highest risk, such as (line numbers @ `0ac805386d66e`): - `src\Repository\EntryRepository.php:156` - `$qb->andWhere("JSONB_CONTAINS(e.tags, '\"".$criteria->tag."\"') = true");` - `src\Repository\EntryRepository.php:333` (basically the same thing) - `src\Repository\MagazineRepository.php:328` (basically the same thing) - `src\Repository\PostRepository.php:135` (basically the same thing) - `src\Repository\PostRepository.php:291` (basically the same thing) - `src\Repository\TagRepository.php` (basically the same thing) - `src\Repository\EntryRepository.php:356` `['name' => "%{$name}%", 'title' => "%{$name}%", 'visibility' => VisibilityInterface::VISIBILITY_VISIBLE]` There's also frankly a *ton* of places that have user or magazine ID concatenated like what GauthierPLM had fixed in this one file. Though assuming those are ints as we'd expect, the risk there is lower. String fields are what I focused on as they are the highest risk for SQL injection. This was only a quick skim and not an exhaustive review. Also, given the type system of PHP (I'm verrrry rusty as I haven't touched PHP in about a decade), making assumptions about integer types may be a dangerous idea.
Author
Contributor
Copy link

I'm not sure how to fix the tags insertion, this seem more complicated than the usually query injections and I don't really know that part of kbin yet.

However, for src\Repository\EntryRepository.php:356, the strings are properly « injected » since they are passed using the setParameters() function, which ensure they are properly escaped and are safe from SQL injection.

Regarding PHP types, kbin uses declare(strict_types=1);, meaning any value not in the right type will cause an error (see https://www.phptutorial.net/php-tutorial/php-strict_types/). That and the fact that usually IDs are taken from Users or Magazines (which are automatically retrieved using ParamConverter) ensure they are valid.
Using prepared requests would be better for sure, but it's less critical than the SQL injections in the SearchRepoistory.

I'm not sure how to fix the tags insertion, this seem more complicated than the usually query injections and I don't really know that part of kbin yet. However, for `src\Repository\EntryRepository.php:356`, the strings are properly « injected » since they are passed using the `setParameters()` function, which ensure they are properly escaped and are safe from SQL injection. Regarding PHP types, kbin uses `declare(strict_types=1);`, meaning any value not in the right type will cause an error (see https://www.phptutorial.net/php-tutorial/php-strict_types/). That and the fact that usually IDs are taken from Users or Magazines (which are automatically retrieved using ParamConverter) ensure they are valid. Using prepared requests would be better for sure, but it's less critical than the SQL injections in the SearchRepoistory.
Sign in to join this conversation.
No reviewers
Labels
Clear labels
a11y
Accessibility
ActivityPub
Incoming and/or outgoing federation of content
admin
Functionality and updates to improve the experience for admins
API
backend
bug
Something is not working
community
conflicting
contribution welcome
Contributions are very welcome, get started here
deployment
documentation
duplicate
This issue or pull request already exists
enhancement
New feature or changes to existing functionally
frontend
Styling, layout and other visual issues
good first issue
Interested in contributing? Get started here.
help wanted
Need some help
high priority
instance config
low priority
mobile
moderation
more infomation needed
It's not possible to proceed without additional information
needs feedback
Discussion is needed before action is taken.
pr pending
This issue is either waiting on a pull request or has been approved and waiting deployment to production
project setup
Questions / concerns relating to getting the project up and running
question
A user is asking a question about /kbin, not necessarily reporting an issue
search
security
translation
translations update needed
UI/UX
To do with user interface and/or user experience issues
upstream
Related to an upstream repository, already reported there
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
Kbin/kbin-core!75
Reference in a new issue
Kbin/kbin-core
No description provided.
Delete branch "GauthierPLM/kbin-core:fix/#67"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?