-
Bug
-
Resolution: Not a Bug
-
Major
-
None
-
4.14
-
No
-
True
-
Description of problem:
Using prodsecs rapidast tooling, there is a high sql injection possible found in the scan with the build.openshift.io/v1 api
Version-Release number of selected component (if applicable):
4.14.0-0.nightly-2023-11-05-194730
How reproducible:
Unknown
Steps to Reproduce:
General information can be found here: https://docs.engineering.redhat.com/display/PRODSEC/RapiDAST+QuickStart+Guide#RapiDASTQuickStartGuide-Case3:ScanningOpenShift/KubernetesandOperators
1. Follow instructions on how to set up rapidast https://github.com/RedHatProductSecurity/rapidast/tree/development#installation
2. Get console url
export BASE_API_URL=$(oc get infrastructure -o jsonpath="{.items[*].status.apiServerURL}")
3. Get user token
export TOKEN=$(oc whoami -t)
4. Fill in values and copy to helm/chart/value_test.yaml in to values.yaml (see attached file with proper configuration for this test)
5. helm install rapidast helm/chart -f helm/chart/value_test.yaml
Actual results:
High security alert found
Expected results:
Limited medium or low alerts
Additional info:
api_doc=build.openshift.io/v1 API url used: export API_URL="$BASE_API_URL/openapi/v3/apis/$api_doc"
- is duplicated by
-
-
- Closed
-
-
-
- Closed
-