Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

getVerificationCode testType variable may be vulnerable to sql injection security risk #432

Open
whaber opened this issue Jul 30, 2020 · 1 comment
Open

getVerificationCode testType variable may be vulnerable to sql injection security risk #432

whaber opened this issue Jul 30, 2020 · 1 comment
Labels
security security stuffs

Comments

@whaber
Copy link
Contributor

whaber commented Jul 30, 2020

We should confirm in cloudfunctions hosted code that all input variables are being checked for validity.

When testType is submitted as confirmed' AND '1'='1' -- message returned with INTERNAL . This was the only security test I found that returned this.

This may because invalid input was detected and rejected by the code (good), or it may be that the code did not validate the input and the text was sent to the data store and it was luck that the attack did not work.
@whaber whaber added the security security stuffs label Jul 30, 2020
@whaber
Copy link
Contributor Author

whaber commented Jul 31, 2020

A thought: Is this in the right project?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security security stuffs
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@whaber