ankane
commented
2 years ago Hey @timirwin, the full query is passed to make sure the results line up with query shown on the page. This shouldn't have any impact on security (users can run the same queries they can from the New Query page). However, if you think there's more to the issue, please use the email on my GitHub profile to report (as well as for future security-related issues).
Recently we had a penetration testing company test an application we built which includes Blazer queries (and dashboards). They identified that running queries and dashboards will put the raw SQL onto the html page before sending it back via browser actions (variable change, run button, download button, etc) for execution. They were able to modify the SQL in the browser before sending it, demonstrating a SQL injection problem of getting database system information. Thankfully our database permissions limited them to read-only access but they still could query our tables, enumerate our users (which could legitimately be in a join in a query), etc.
Are there thoughts/plans for moving away from the back and forth of SQL statements in the payload and move toward passing the variables instead (in the show pages)? Or perhaps a different approach? I know the edit pages need to pass the SQL because they are used for configuring the SQL statements themselves.