search

allegro / ralph

Ralph is the CMDB / Asset Management system for data center and back office hardware.
https://ralph.allegro.tech/
Apache License 2.0
2.24k stars 550 forks source link

Contact | Security Issue #3684

Open ghost opened 2 years ago

ghost commented 2 years ago

Dear Ralph contributors,

I've tried to contact several of you through email, but got no response. Please get back to me at: vulnerability@whitesourcesoftware.com. It's about security issues found in your project.

Thanks, Miriam

szymi- commented 2 years ago

Hello Miriam, I responded to your email about two weeks ago. Maybe my email ended up in your Spam folder. Upon closer inspection of the issue (i.e. https://owasp.org/www-community/attacks/CSV_Injection), we decided we will not fix it in the foreseeable future. Import / export of data in Ralph is not a feature useful for users who wish to browse Ralph data in any spreadsheet software. Exported data contains mostly database IDs of related Ralph objects and is not human friendly. It is unlikely anybody uses exported data in such way. Exported data can be useful to be imported in another Ralph instance and when used in such way, it is not susceptible to CSV injection.