Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix SQL injection in /api/system/meshsync/resources #10207

Merged
merged 1 commit into from
Feb 6, 2024
Merged

Fix SQL injection in /api/system/meshsync/resources #10207

merged 1 commit into from
Feb 6, 2024

Conversation

gyohuangxin
Copy link
Member

@gyohuangxin gyohuangxin commented Feb 4, 2024
edited
Loading

Notes for Reviewers

This PR fixes #

As mentioned in GitHub Security Lab (GHSL) Vulnerability Report, this PR is to fix a SQL injection in /api/system/meshsync/resources.
Similar vulnerabilities has been fixed in #9372 using SanitizeOrderInput function, which you can uses as a reference.

Signed commits

  • Yes, I signed my commits.

@gyohuangxin
Fix SQL injection in /api/system/meshsync/resources
d3cd06c 
Signed-off-by: Xin Huang <xin1.huang@intel.com>
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 4, 2024
edited
Loading

@leecalcote leecalcote added the security Issues or pull requests that address a security vulnerability label Feb 4, 2024
@leecalcote leecalcote added this to the v0.8.0 milestone Feb 4, 2024
@leecalcote leecalcote requested a review from nebula-aac February 4, 2024 07:49
@gyohuangxin
Copy link
Member Author

"Golang Unit and Integration Tests" job failed because of unchanged files, it's not related to my PR, I can raise another PR to fix them.

"MeshKit Error Codes Utility Runner" job's error message is Error: Input required and not supplied: token, which I have no idea about. @MUzairS15 Do you know that?

@MUzairS15
Copy link
Contributor

"Golang Unit and Integration Tests" job failed because of unchanged files, it's not related to my PR, I can raise another PR to fix them.

"MeshKit Error Codes Utility Runner" job's error message is Error: Input required and not supplied: token, which I have no idea about. @MUzairS15 Do you know that?

Error: Input required and not supplied: token The workflow runs fine on master branch , I think for PRs the GH Token is not being used, we can skip them (right now the conditional included to skip is not working correctly). I will look on this workflow.

Thanks for volunteering on

"Golang Unit and Integration Tests" job failed because of unchanged files, it's not related to my PR, I can raise another PR to fix them.".

Do you have one already?

@gyohuangxin
Copy link
Member Author

Thanks for volunteering on

"Golang Unit and Integration Tests" job failed because of unchanged files, it's not related to my PR, I can raise another PR to fix them.".

Do you have one already?

@MUzairS15 Not yet, but I can create one today.

leecalcote
leecalcote approved these changes Feb 6, 2024
View reviewed changes
Copy link
Member

@leecalcote leecalcote left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change in this PR looks great.

@gyohuangxin gyohuangxin mentioned this pull request Feb 6, 2024
Merged
1 task
@MUzairS15 MUzairS15 merged commit 8e995ce into meshery:master Feb 6, 2024
14 of 16 checks passed
@gyohuangxin gyohuangxin mentioned this pull request Feb 13, 2024
Merged
1 task
This was referenced Aug 5, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nebula-aac nebula-aac nebula-aac approved these changes

@MUzairS15 MUzairS15 MUzairS15 approved these changes

@leecalcote leecalcote leecalcote approved these changes

Assignees
No one assigned
Labels
component/server security Issues or pull requests that address a security vulnerability
Projects
Meshery Current Release Train
Status: Done
Milestone
v0.8.0
Development

Successfully merging this pull request may close these issues.
4 participants
@gyohuangxin @MUzairS15 @leecalcote @nebula-aac