From 672dcf452ad167fe83d072242b984bad1382977d Mon Sep 17 00:00:00 2001 From: Prakash Kumar Date: Thu, 5 Sep 2024 14:42:30 +0530 Subject: [PATCH 1/2] scan list in global security page sql injection fix --- .../security/ImageScanDeployInfoRepository.go | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/internal/sql/repository/security/ImageScanDeployInfoRepository.go b/internal/sql/repository/security/ImageScanDeployInfoRepository.go index b3146dd6d8..405da086c4 100644 --- a/internal/sql/repository/security/ImageScanDeployInfoRepository.go +++ b/internal/sql/repository/security/ImageScanDeployInfoRepository.go @@ -147,8 +147,13 @@ func (impl ImageScanDeployInfoRepositoryImpl) FindByTypeMetaAndTypeId(scanObject func (impl ImageScanDeployInfoRepositoryImpl) ScanListingWithFilter(request *securityBean.ImageScanFilter, size int, offset int, deployInfoIds []int) ([]*ImageScanListingResponse, error) { var models []*ImageScanListingResponse + var err error query := impl.scanListingQueryBuilder(request, size, offset, deployInfoIds) - _, err := impl.dbConnection.Query(&models, query, size, offset) + if len(request.Severity) > 0 { + _, err = impl.dbConnection.Query(&models, query, pg.In(request.Severity), pg.In(request.Severity)) + } else { + _, err = impl.dbConnection.Query(&models, query) + } if err != nil { impl.logger.Error("err", err) return []*ImageScanListingResponse{}, err @@ -177,8 +182,7 @@ func (impl ImageScanDeployInfoRepositoryImpl) scanListQueryWithoutObject(request query = query + " AND res.cve_store_name ILIKE '%" + request.CVEName + "%'" } if len(request.Severity) > 0 { - severities := strings.Trim(strings.Join(strings.Fields(fmt.Sprint(request.Severity)), ","), "[]") - query = query + fmt.Sprintf(" AND (cs.standard_severity IN (%s) OR (cs.severity IN (%s) AND cs.standard_severity IS NULL))", severities, severities) + query = query + " AND (cs.standard_severity IN (?) OR (cs.severity IN (?) AND cs.standard_severity IS NULL))" } if len(request.EnvironmentIds) > 0 { envIds := strings.Trim(strings.Join(strings.Fields(fmt.Sprint(request.EnvironmentIds)), ","), "[]") @@ -239,8 +243,7 @@ func (impl ImageScanDeployInfoRepositoryImpl) scanListQueryWithObject(request *s } if len(request.Severity) > 0 { - severities := strings.Trim(strings.Join(strings.Fields(fmt.Sprint(request.Severity)), ","), "[]") - query = query + fmt.Sprintf(" AND (cs.standard_severity IN (%s) OR (cs.severity IN (%s) AND cs.standard_severity IS NULL))", severities, severities) + query = query + " AND (cs.standard_severity IN (?) OR (cs.severity IN (?) AND cs.standard_severity IS NULL))" } if len(request.EnvironmentIds) > 0 { envIds := strings.Trim(strings.Join(strings.Fields(fmt.Sprint(request.EnvironmentIds)), ","), "[]") From 9f49d3524a3ae087e61979f1a107c74964d7e834 Mon Sep 17 00:00:00 2001 From: Prakash Kumar Date: Thu, 5 Sep 2024 15:41:46 +0530 Subject: [PATCH 2/2] comment --- .../sql/repository/security/ImageScanDeployInfoRepository.go | 1 + 1 file changed, 1 insertion(+) diff --git a/internal/sql/repository/security/ImageScanDeployInfoRepository.go b/internal/sql/repository/security/ImageScanDeployInfoRepository.go index 405da086c4..f723c9a547 100644 --- a/internal/sql/repository/security/ImageScanDeployInfoRepository.go +++ b/internal/sql/repository/security/ImageScanDeployInfoRepository.go @@ -182,6 +182,7 @@ func (impl ImageScanDeployInfoRepositoryImpl) scanListQueryWithoutObject(request query = query + " AND res.cve_store_name ILIKE '%" + request.CVEName + "%'" } if len(request.Severity) > 0 { + // use pg.In to inject values here wherever calling this func in case severity exists, to avoid sql injections query = query + " AND (cs.standard_severity IN (?) OR (cs.severity IN (?) AND cs.standard_severity IS NULL))" } if len(request.EnvironmentIds) > 0 {