Skip to content

user_profile.py put operations uses unvalidated external text in query #2059

New issue
New issue
Closed
#2067
Closed
user_profile.py put operations uses unvalidated external text in query#2059
#2067
Assignees
mikesmit
@mikesmit

Description

@mikesmit
mikesmit
opened on Dec 17, 2024

this code

    for key in payload:
        if key == "auth0_id":
            return Response(
                json.dumps(
                    {
                        "message": "Unauthorized attempt to modify auth0_id parameter; request denied"
                    }
                ),
                status=403,
                mimetype="application/json",
            )
        setter_array.append(f"{key} = ?")
        args.append(payload[key])
    setter_phrase = ", ".join(setter_array)

    args.append(user_id)

takes an unverified string input and inserts it directly into a query. Need to verify but I expect this makes it easy to bypass our code's security: For instance the key auth0_id = 'whatever', user_id. Or even the key "\"auth0_id\"" or even auth0_id = 'whatever'; DELETE WHERE user_id with value *

We should validate the payload against a JSON schema and explicitly map the fields we want to set from the input.

We should also review our code to ensure we don't do the same thing in other cases.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions