[jira] [Commented] (FINERACT-1338) SQL Injection - While "runreports" api is trying to load report parameters

Sun, 04 Apr 2021 06:16:08 -0700 


    [ 
https://issues.apache.org/jira/browse/FINERACT-1338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17314494#comment-17314494
 ] 

Joseph Makara commented on FINERACT-1338:
-----------------------------------------

Fixed as part of FINERACT-854 re SQL Injection in commit
_Fix some reporting issues including SQLi vulnerabilities (FINERACT-854)_
{code:java}
https://github.com/apache/fineract/pull/1671/commits/37311edb9c702ad5c9806ae44678d2600d18186f{code}
 

It turns out we will not need the work done in FINERACT-1336 and FINERACT-1306 
regarding reporting issues. 
We actually don't need to add the following report parameters to stretchy 
reports table 
 * ReportCategoryList,
 * FullReportList and
 * FullParameterList

 [~manthan] is looking after this pull request's code review :) and will let us 
know. Feedback most welcome.
Any chance we can please spin a test deployment for this pull request 
[https://github.com/apache/fineract/pull/1671] to verify fix claim? 
Thanks

> SQL Injection - While "runreports" api is trying to load report parameters
> --------------------------------------------------------------------------
>
>                 Key: FINERACT-1338
>                 URL: https://issues.apache.org/jira/browse/FINERACT-1338
>             Project: Apache Fineract
>          Issue Type: Bug
>            Reporter: Francis Guchie
>            Assignee: Francis Guchie
>            Priority: Major
>         Attachments: image-2021-03-31-15-53-00-571.png, 
> image-2021-04-04-15-56-40-189.png
>
>
> After solving the error at FINERACT-1336 a new error shows up. 
> while api - runreports
> fineract-provider/api/v1/runreports/OfficeIdSelectOne?parameterType=true
> is spooling the report parameters, user will not see any error on the UI 
> !image-2021-03-31-15-53-00-571.png!
> but looking through the console OR postman you see error below
> {
>     "developerMessage": "The request was invalid. This typically will happen 
> due to validation errors which are provided.",
>     "httpStatusCode": "400",
>     "defaultUserMessage": "Unexpected SQL Commands found",
>     *"userMessageGlobalisationCode": "error.msg.found.sql.injection"*
> }



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to