search

US-EPA-CAMD / easey-ui

Project Management repo for EPA Clean Air Markets Division (CAMD) Business Suite of applications
MIT License
0 stars 0 forks source link

SQL injection in typeORM #6185

Open maxdiebold-erg opened 1 month ago

maxdiebold-erg commented 1 month ago

A SQL injection vulnerability is affecting the following repositories:

These dependabot alerts will update the typeorm package, but the affected @nestjs packages must be manually updated. The typeorm update has breaking changes, so changes will need to be made in the code, primarily find -> findBy, findOne -> findOneBy, & updating custom repositories to remove the EntityRepository decorator.

maxdiebold-erg commented 1 month ago

I have linked all of the PRs related to this ticket, but the only one currently ready for review is easey-common: once that PR is merged in, I can update the @us-epa-camd/easey-common package version in the other repositories, and they can be tested & merged.

maxdiebold-erg commented 1 month ago

The easey-common updates have been merged, and the package has been updated in all other repositories, so the other Pull Requests are now ready for review.

esaber76 commented 1 week ago

  1. Receive the error below attempting to import a QA test from historical. image

  2. Receive the error below "in public view" when expanding a facility to get to the locations on every screen (Monitoring Plans, Test Data, etc.). Seeing the same error when using admin tool. image

  3. Receive the error below attempting to add a Protocol Gas Record for a Linearity. Image

  4. Receive the error below attempting to add a Linearity Test Record for a Linearity. Image

  5. Receive the error below attempting to import a QA test from file (Example file for ORIS 6137, unit 3: QA & Certification _ Export - A B Brown Generating Station (1).json). Image

  6. Unable to save a Test Summary Record for a RATA, Flow to Load Check, Flow to Load Reference, Fuel Flow to Load Test, Fuel Flow to Load Baseline, Unit Default, Miscellaneous test in the QA screen. Clicking on Save and Close after entering data in does nothing. This behavior does not exist on tst.

  7. Receive the error below attempting to add a Cycle Time Injection Record for a Cycle Time test. Image

  8. When attempting to Edit a Test Summary record for a Cycle Time Test, the Test Type Code dropdown does not have any options.

  9. Receive the error below attempting to add a Transmitter Transducer Accuracy Data Record. image

  10. Receive the error below attempting to add a Unit Default Protocol Gas Record. Image

  11. Receive the error below attempting to add a Unit Default Air Emission Record. Image

maxdiebold-erg commented 2 days ago

It looks like 10 pull requests is the limit for linking to issues, so I'll add more here: