Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-23031

Prodsec sql injection may be possible

XMLWordPrintable

    • No
    • True
    • Hide

      Waiting on information from reporter

      Show
      Waiting on information from reporter

      Description of problem:

      Using prodsecs rapidast tooling, there is a high sql injection possible found in the scan with the build.openshift.io/v1 api

      Version-Release number of selected component (if applicable):

      4.14.0-0.nightly-2023-11-05-194730

      How reproducible:

      Unknown

      Steps to Reproduce:

      1.  Follow instructions on how to set up rapidast https://github.com/RedHatProductSecurity/rapidast/tree/development#installation
2. Get console url 
export BASE_API_URL=$(oc get infrastructure -o jsonpath="{.items[*].status.apiServerURL}")
3. Get user token 
export TOKEN=$(oc whoami -t)
4. Fill in values and copy to helm/chart/value_test.yaml in to values.yaml (see attached file with proper configuration for this test)
5. helm install rapidast helm/chart -f helm/chart/value_test.yaml

      Actual results:

      High security alert found

      Expected results:

      Limited medium or low alerts

      Additional info:

      api_doc=build.openshift.io/v1
API url used:  export API_URL="$BASE_API_URL/openapi/v3/apis/$api_doc"

            rh-ee-sabiswas Sayan Biswas
            prubenda Paige Rubendall
            Sayan Biswas Sayan Biswas
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: