Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

user_profile.py put operations uses unvalidated external text in query #2059

Open
mikesmit opened this issue Dec 17, 2024 · 1 comment · May be fixed by #2067
Open

user_profile.py put operations uses unvalidated external text in query #2059

mikesmit opened this issue Dec 17, 2024 · 1 comment · May be fixed by #2067
Assignees
@mikesmit

Comments

@mikesmit
Copy link
Collaborator

this code

    for key in payload:
        if key == "auth0_id":
            return Response(
                json.dumps(
                    {
                        "message": "Unauthorized attempt to modify auth0_id parameter; request denied"
                    }
                ),
                status=403,
                mimetype="application/json",
            )
        setter_array.append(f"{key} = ?")
        args.append(payload[key])
    setter_phrase = ", ".join(setter_array)

    args.append(user_id)

takes an unverified string input and inserts it directly into a query. Need to verify but I expect this makes it easy to bypass our code's security: For instance the key auth0_id = 'whatever', user_id. Or even the key "\"auth0_id\"" or even auth0_id = 'whatever'; DELETE WHERE user_id with value *

We should validate the payload against a JSON schema and explicitly map the fields we want to set from the input.

We should also review our code to ensure we don't do the same thing in other cases.
@mikesmit mikesmit self-assigned this Dec 17, 2024
mikesmit pushed a commit that referenced this issue Dec 17, 2024
Refactor user_profile to use bluprints
a33a056 
fixes #1981, fixes #2059

This migrates the code for the user profile resource to use blueprints.

It also fixes an issue where the PUT operation allowed malicious
injection attacks on our database.
@mikesmit
Copy link
Collaborator Author

I am going to address this as part of #1989

mikesmit pushed a commit that referenced this issue Dec 23, 2024
Refactor user_profile to use bluprints
8895533 
fixes #1981, fixes #2059

This migrates the code for the user profile resource to use blueprints.

It also fixes an issue where the PUT operation allowed malicious
injection attacks on our database.
@mikesmit mikesmit linked a pull request Dec 23, 2024 that will close this issue
Open
mikesmit pushed a commit that referenced this issue Dec 23, 2024
Refactor user_profile to use bluprints
c3cdf8e 
fixes #1981, fixes #2059

This migrates the code for the user profile resource to use blueprints.

It also fixes an issue where the PUT operation allowed malicious
injection attacks on our database.
mikesmit pushed a commit that referenced this issue Dec 23, 2024
Refactor user_profile to use bluprints
4ce2135 
fixes #1981, fixes #2059

This migrates the code for the user profile resource to use blueprints.

It also fixes an issue where the PUT operation allowed malicious
injection attacks on our database.
mikesmit pushed a commit that referenced this issue Dec 23, 2024
Refactor user_profile to use blueprints
7fcf974 
fixes #1989, fixes #2059

This migrates the code for the user profile resource to use blueprints.

It also fixes an issue where the PUT operation allowed malicious
injection attacks on our database.
mikesmit pushed a commit that referenced this issue Dec 23, 2024
Refactor user_profile to use blueprints
8fd9c30 
fixes #1989, fixes #2059

This migrates the code for the user profile resource to use blueprints.

It also fixes an issue where the PUT operation allowed malicious
injection attacks on our database.
mikesmit pushed a commit that referenced this issue Dec 23, 2024
Refactor user_profile to use blueprints
5cae080 
fixes #1989, fixes #2059

This migrates the code for the user profile resource to use blueprints.

It also fixes an issue where the PUT operation allowed malicious
injection attacks on our database.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mikesmit mikesmit

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Refactor user_profile to use blueprints PolicyEngine/policyengine-api
1 participant
@mikesmit