[jira] [Commented] (FINERACT-1338) SQL Injection - While "runreports" api is trying to load report parameters

Sun, 04 Apr 2021 02:17:05 -0700 


    [ 
https://issues.apache.org/jira/browse/FINERACT-1338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17314447#comment-17314447
 ] 

Joseph Makara commented on FINERACT-1338:
-----------------------------------------

On adding the above fix on my local the SQLi error 
(error.msg.found.sql.injection) is gone BUT now I am  seeing below other error
{code:java}
{"developerMessage":"The requested resource is not 
available.","httpStatusCode":"404","defaultUserMessage":"The requested resource 
is not 
available.","userMessageGlobalisationCode":"error.msg.resource.not.found","errors":[{"developerMessage":"Reporting
 meta-data entry not found.","defaultUserMessage":"Reporting meta-data entry 
not 
found.","userMessageGlobalisationCode":"error.msg.report.name.not.found","parameterName":"id","value":null,"args":[{"value":"Report
 Name: OfficeIdSelectOne"}]}]}
{code}
On debug I see it is attempting to get _report parameters_ from report table 
stretchy_report but clearly these parameters are in `_stretchy_parameter_`
{code:java}
SELECT x.* 
FROM (
  SELECT ifNull(report_type,'') AS report_type 
  FROM `stretchy_report` 
  WHERE report_name = 'OfficeIdSelectOne' AND self_service_user_report = 0
) x;
{code}
Looking into this. . to tell whether or not it is supposed to lookup report 
parameters from `stretchy_report`.

 

> SQL Injection - While "runreports" api is trying to load report parameters
> --------------------------------------------------------------------------
>
>                 Key: FINERACT-1338
>                 URL: https://issues.apache.org/jira/browse/FINERACT-1338
>             Project: Apache Fineract
>          Issue Type: Bug
>            Reporter: Francis Guchie
>            Assignee: Francis Guchie
>            Priority: Major
>         Attachments: image-2021-03-31-15-53-00-571.png
>
>
> After solving the error at FINERACT-1336 a new error shows up. 
> while api - runreports
> fineract-provider/api/v1/runreports/OfficeIdSelectOne?parameterType=true
> is spooling the report parameters, user will not see any error on the UI 
> !image-2021-03-31-15-53-00-571.png!
> but looking through the console OR postman you see error below
> {
>     "developerMessage": "The request was invalid. This typically will happen 
> due to validation errors which are provided.",
>     "httpStatusCode": "400",
>     "defaultUserMessage": "Unexpected SQL Commands found",
>     *"userMessageGlobalisationCode": "error.msg.found.sql.injection"*
> }



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to