[Security] added 'eq' operation when querying entitiy

litmuschaos / litmus

Litmus helps SREs and developers practice chaos engineering in a Cloud-native way. Chaos experiments are published at the ChaosHub (https://hub.litmuschaos.io). Community notes is at https://hackmd.io/a4Zu_sH4TZGeih-xCimi3Q

Apache License 2.0

4.39k stars 688 forks source link

Proposed changes

This is a fix for the security vulnerability Database query built from user-controlled sources raised by CodeQL.

The issue arises when passing an entity identity without using the $eq operation

References recommend using $eq to enhance security.

This code is an example of the modified code.

//AS-IS
query := bson.D{{"_id", projectID}}

//TO-BE
query := bson.D{{"_id", bson.D{{"$eq", projectID}}}} // uses the $eq operation

References

Types of changes

What types of changes does your code introduce to Litmus? Put an x in the boxes that apply

[x] New feature (non-breaking change which adds functionality)
[ ] Bugfix (non-breaking change which fixes an issue)
[ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
[ ] Documentation Update (if none of the other choices applies)

Checklist

Put an x in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your code.

[x] I have read the CONTRIBUTING doc
[x] I have signed the commit for DCO to be passed.
[ ] Lint and unit tests pass locally with my changes
[ ] I have added tests that prove my fix is effective or that my feature works (if appropriate)
[ ] I have added necessary documentation (if appropriate)

Dependency

Please add the links to the dependent PR need to be merged before this (if any).

litmuschaos / litmus