Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Main B-21380 Secure SQL Query #13965

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Main B-21380 Secure SQL Query #13965

wants to merge 8 commits into from
+54 −3

Conversation

brianmanley-caci
Copy link
Contributor

[Agility ticket]

(https://www13.v1host.com/USTRANSCOM38/story.mvc/Summary?oidToken=Story%3A1014751)

##[INTEGRATION PR]
(#13864)

Summary

The purpose of this story is to ensure that this query is not vulnerable to SQL Injection. Ideally I would be able to use a parameterized query here, but that does not seem to be possible with this type of Set statement. The next best option was to validate that the input does not contain anything malicious by running it through a regex matcher. I added a regex matcher that will validate that the input contains only a valid uuid. If it does not an error is returned, otherwise it uses the audit user ID as before.

Is there anything you would like reviewers to give additional scrutiny?

[this article]
(https://www.uuidtools.com/what-is-uuid) I stole the regex from here, but also added the started and end characters

Verification Steps for the Author

These are to be checked by the author.

  • Tested in the Experimental environment (for changes to containers, app startup, or connection to data stores)
  • Have the Agility acceptance criteria been met for this change?

Verification Steps for Reviewers

These are to be checked by a reviewer.

  • Has the branch been pulled in and checked out?
  • Have the BL acceptance criteria been met for this change?
  • Was the CircleCI build successful?
  • Has the code been reviewed from a standards and best practices point of view?

Setup to Run the Code

How to test

Since this code gets hit by a ton of different handlers, you only need to do some action that causes some handler to execute.

  1. Access the MilMove Application.
  2. Login as a Service Counselor.
  3. Click on any move.

Frontend

  • There are no aXe warnings for UI.
  • This works in Supported Browsers and their phone views (Chrome, Firefox, Edge).
  • There are no new console errors in the browser devtools.
  • There are no new console errors in the test output.
  • If this PR adds a new component to Storybook, it ensures the component is fully responsive, OR if it is intentionally not, a wrapping div using the officeApp class or custom min-width styling is used to hide any states the would not be visible to the user.
  • This change meets the standards for Section 508 compliance.

Backend

Database

Any new migrations/schema changes:

  • Follows our guidelines for Zero-Downtime Deploys.
  • Have been communicated to #g-database.
  • Secure migrations have been tested following the instructions in our docs.

Screenshots

@brianmanley-caci brianmanley-caci requested a review from a team as a code owner October 21, 2024 14:51
@brianmanley-caci
Copy link
Contributor Author

@deandreJones I believe this one can be merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@samaysofo samaysofo samaysofo approved these changes

@msaki-caci msaki-caci msaki-caci approved these changes

@ryan-mchugh ryan-mchugh ryan-mchugh approved these changes

@deandreJones deandreJones Awaiting requested review from deandreJones

@brooklyn-welsh brooklyn-welsh Awaiting requested review from brooklyn-welsh

@loganwc loganwc Awaiting requested review from loganwc

@elizabeth-perkins elizabeth-perkins Awaiting requested review from elizabeth-perkins

@stevengleason-caci stevengleason-caci Awaiting requested review from stevengleason-caci

At least 2 approving reviews are required to merge this pull request.

Assignees

@brianmanley-caci brianmanley-caci

Labels
Go-Rillaz Go-Rillaz MAIN
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@brianmanley-caci @samaysofo @msaki-caci @ryan-mchugh @deandreJones @brooklyn-welsh @loganwc @elizabeth-perkins @stevengleason-caci