https://github.com/osquery/osquery logo
#fleet
Title
# fleet
w

wennan.he

02/20/2023, 4:58 AM
Hi fleet team, i found the API /api/_version_/fleet/activities, and if i append a SQL in OrderKey and pass in. will it cause sql injection issue? I c the implementation of appendListOptionsWithCursorToSQL method and it doesn't handle that.
l

Lucas Rodriguez

02/20/2023, 4:09 PM
Hi @wennan.he! Thanks for letting us know. I'll ask the team to take a look. Have you found a SQL injection issue?
w

wennan.he

02/20/2023, 5:32 PM
i just saw the logic and looks like it has the issue
l

Lucas Rodriguez

02/20/2023, 6:14 PM
From our team:
The
sanitizeColumn
does its job and the backticks ensure that the whole string is considered as a column name (or table name if in front of
.
), even if it matches a keyword. But if they can think of a way this is unsafe, by all means we'd be happy to learn about it and implement the required fix!
w

wennan.he

02/22/2023, 7:35 PM
@Lucas Rodriguez after consideration, i think put the unexpected content into SQL execute process after sanitize is still not safe or good enough, and returning msg has risk to expose mysql err code through API, this is not a good practice, could you consider it?
l

Lucas Rodriguez

02/22/2023, 7:41 PM
Oh! ok
i think put the unexpected content into SQL execute process after sanitize is still not safe or good enough
Can you share a sample with us so that we can fix it?
returning msg has risk to expose mysql err code through API, this is not a good practice, could you consider it?
Makes sense. Could you open a Github issue (with a sample error would really help us)?