[SECURITY] Sanitize SQL queries prior to execution - Githubissues

NASA-PDS / operations

Tickets for the PDSEN Operations Team

Other

5 stars 1 forks source link

[SECURITY] Sanitize SQL queries prior to execution #19

Closed jordanpadams closed 3 years ago

jordanpadams commented 4 years ago

Vulnerability

Determine if the findings about SQL queries containing user input that is not sanitized are valid, and determine the potential consequences if they are.

File	Warning Line	Warning Text	Notes
pds3-product-tools/src/main/java/gov/nasa/arc/pds/tools/util/URLUtils.java	225	Failure to use SSL (CWE-311)	Try to set secure before addCookie. ssoCookie.setSecure(true) plain text viewing possible if not set.
pds3-product-tools/src/main/java/gov/nasa/arc/pds/tools/util/URLUtils.java	258	Failure to use SSL (CWE-311)	Try to set secure before addCookie. ssoCookie.setSecure(true) plain text viewing possible if not set.
pds3-product-tools/src/main/java/gov/nasa/arc/pds/tools/util/URLUtils.java	316	Failure to use SSL (CWE-311)	Try to set secure before addCookie. ssoCookie.setSecure(true) plain text viewing possible if not set.
pds4-jparser/src/main/java/gov/nasa/arc/pds/tools/util/URLUtils.java	195	Failure to use SSL (CWE-311)	Try to set secure before addCookie. ssoCookie.setSecure(true) plain text viewing possible if not set.
pds4-jparser/src/main/java/gov/nasa/arc/pds/tools/util/URLUtils.java	228	Failure to use SSL (CWE-311)	Try to set secure before addCookie. ssoCookie.setSecure(true) plain text viewing possible if not set.
pds4-jparser/src/main/java/gov/nasa/arc/pds/tools/util/URLUtils.java	286	Failure to use SSL (CWE-311)	Try to set secure before addCookie. ssoCookie.setSecure(true) plain text viewing possible if not set.

tracking-service/src/main/java/gov/nasa/pds/tracking/tracking/db/ProductDao.java	283	Query built from user-controlled sources (CWE-089)	Use a prepared query or sanitize user provided query to ensure no malicious code is present.
tracking-service/src/main/java/gov/nasa/pds/tracking/tracking/db/ReferenceDao.java	114	Query built from user-controlled sources (CWE-089)	Use a prepared query or sanitize user provided query to ensure no malicious code is present.

Software Version

Current

jordanpadams commented 3 years ago

Created separate issues in each repo: https://github.com/NASA-PDS/tracking-service/issues/20 https://github.com/NASA-PDS/pds3-product-tools/issues/14 https://github.com/NASA-PDS/pds4-jparser/issues/44