Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-23030

Prodsec sql injection may be possible

XMLWordPrintable

    • No
    • True
    • Hide

      Waiting on information from reporter

      Show
      Waiting on information from reporter

      Description of problem:

      Using prodsecs rapidast tooling, there is a high sql injection possible found in the scan with the build.openshift.io/v1 api 
      

      Version-Release number of selected component (if applicable):

      4.14.0-0.nightly-2023-11-05-194730
      

      How reproducible:

      Unknown
      
      

      Steps to Reproduce:

      1.  Follow instructions on how to set up rapidast https://github.com/RedHatProductSecurity/rapidast/tree/development#installation
      2. Get console url 
      export BASE_API_URL=$(oc get infrastructure -o jsonpath="{.items[*].status.apiServerURL}")
      3. Get user token 
      export TOKEN=$(oc whoami -t)
      4. Fill in values and copy to helm/chart/value_test.yaml in to values.yaml (see attached file with proper configuration for this test)
      5. helm install rapidast helm/chart -f helm/chart/value_test.yaml
      

      Actual results:

      High security alert found
      

      Expected results:

      Limited medium or low alerts 
      

      Additional info:

      api_doc=build.openshift.io/v1
      API url used:  export API_URL="$BASE_API_URL/openapi/v3/apis/$api_doc"
      
      

              rh-ee-sabiswas Sayan Biswas
              prubenda Paige Patton
              Sayan Biswas Sayan Biswas
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: