Comments (3)
felipeweb
commented on May 2, 2024
@pixelbender thanks for reporting. Do you want to send a pull request fixing the issue?
from prest.
crgimenes
commented on May 2, 2024
Hello guys, I'll take care of this problem.
Suggestions are welcome.
... Complementing ...
The idea is to change WhereByRequest to return two results, the first is a string with the where clause and the second a string array containing the values that will be processed via Prepare.
I will use the same solution in other parts of the code that are also vulnerable.
Other entries such as field names can also be attacked, in these cases I will simply check if it contains invalid characters and returns error if I find a semicolon, quotes, etc.
from prest.
avelino
commented on May 2, 2024
@pixelbender thanks for reporting this bug, we at @nuveo wasn't thinking that initially because it would use the pREST in private network (no public access), we will put priority on this bug.
from prest.
Related Issues (20)
- Documentation quick start scaffold not working for me HOT 16
- Error Silencing on pREST HOT 1
- prest 1.2.1 release build was not done successfully HOT 4
- JWT Middleware accepts expired tokens HOT 1
- script in Custom Queries? HOT 4
- A Simpler Supabase-Type Front-End HOT 1
- roreleaser upload error HOT 1
- lint: error return value of `w.Write` is not checked (errcheck) HOT 1
- JWT Cors bug HOT 3
- How to inserted into jsonb field? HOT 6
- Fix code scanning alert – Database query built from user-controlled sources
- Cancel display flags help on Pg error in "migrate" HOT 1
- docker image that runs without root access
- Issue running prest binary HOT 5
- [BUG] prest crashes if user set a cache directory that does not exists in filesystem HOT 2
- semicolon at the end of custom query raise syntax issue and query fails HOT 1
- search in array column
- Add pagination object for every query and request HOT 1
- fix CLI versioning
- v2 routes - draft
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from prest.