Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SECURITY] Sanitize SQL queries prior to execution #19

Closed
jordanpadams opened this issue Aug 20, 2020 · 1 comment · Fixed by NASA-PDS/registry-legacy-solr#5 or nasa-pds-engineering-node/registry-mgr-legacy#4
Closed

[SECURITY] Sanitize SQL queries prior to execution #19

jordanpadams opened this issue Aug 20, 2020 · 1 comment · Fixed by NASA-PDS/registry-legacy-solr#5 or nasa-pds-engineering-node/registry-mgr-legacy#4
Assignees
@jordanpadams
Labels
bug Something isn't working duplicate This issue or pull request already exists icebox s.low

Comments

@jordanpadams
Copy link
Member

Vulnerability

Determine if the findings about SQL queries containing user input that is not sanitized are valid, and determine the potential consequences if they are.

File Warning Line Warning Text Notes
pds3-product-tools/src/main/java/gov/nasa/arc/pds/tools/util/URLUtils.java 225 Failure to use SSL (CWE-311) Try to set secure before addCookie. ssoCookie.setSecure(true) plain text viewing possible if not set.
pds3-product-tools/src/main/java/gov/nasa/arc/pds/tools/util/URLUtils.java 258 Failure to use SSL (CWE-311) Try to set secure before addCookie. ssoCookie.setSecure(true) plain text viewing possible if not set.
pds3-product-tools/src/main/java/gov/nasa/arc/pds/tools/util/URLUtils.java 316 Failure to use SSL (CWE-311) Try to set secure before addCookie. ssoCookie.setSecure(true) plain text viewing possible if not set.
pds4-jparser/src/main/java/gov/nasa/arc/pds/tools/util/URLUtils.java 195 Failure to use SSL (CWE-311) Try to set secure before addCookie. ssoCookie.setSecure(true) plain text viewing possible if not set.
pds4-jparser/src/main/java/gov/nasa/arc/pds/tools/util/URLUtils.java 228 Failure to use SSL (CWE-311) Try to set secure before addCookie. ssoCookie.setSecure(true) plain text viewing possible if not set.
pds4-jparser/src/main/java/gov/nasa/arc/pds/tools/util/URLUtils.java 286 Failure to use SSL (CWE-311) Try to set secure before addCookie. ssoCookie.setSecure(true) plain text viewing possible if not set.
       
tracking-service/src/main/java/gov/nasa/pds/tracking/tracking/db/ProductDao.java 283 Query built from user-controlled sources (CWE-089) Use a prepared query or sanitize user provided query to ensure no malicious code is present.
tracking-service/src/main/java/gov/nasa/pds/tracking/tracking/db/ReferenceDao.java 114 Query built from user-controlled sources (CWE-089) Use a prepared query or sanitize user provided query to ensure no malicious code is present.

Software Version

Current
@jordanpadams jordanpadams self-assigned this Aug 20, 2020
@jordanpadams jordanpadams transferred this issue from NASA-PDS/software-issues-repo Oct 9, 2020
@jordanpadams jordanpadams added bug Something isn't working low labels Oct 9, 2020
@jordanpadams jordanpadams added s.low and removed low labels Mar 18, 2021
@jordanpadams
Copy link
Member Author

Created separate issues in each repo:
https://github.com/NASA-PDS/tracking-service/issues/20
NASA-PDS/pds3-product-tools#14
NASA-PDS/pds4-jparser#44

@jordanpadams jordanpadams added the duplicate This issue or pull request already exists label Jun 24, 2021
This was referenced Sep 25, 2023
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jordanpadams jordanpadams

Labels
bug Something isn't working duplicate This issue or pull request already exists icebox s.low
Projects
None yet
Milestone
No milestone
1 participant
@jordanpadams