Actions
Bug #5738
open
[API] Validate that selected columns are selectable, and return an error if not
Story points:
0.5
Release:
Release relationship:
Auto
Description
Background¶
Insufficient sanity checking causes an easy client error to generate an obtuse error message.
Resolution¶
Before doing queries, verify that the "select" parameter provided by the client (if any) is not empty and does not contain any invalid entries.
Initial bug report¶
$ bundle exec arv collection list --filters='[["uuid", "=", "su92l-4zz18-hll1sflwwh8ogk1"]]' --select '["writable_by"]' Error: #<ActiveRecord::StatementInvalid: PG::SyntaxError: ERROR: syntax error at or near "FROM" LINE 1: SELECT FROM "collections" WHERE (expires_at IS NULL or ex... ^ : SELECT FROM "collections" WHERE (expires_at IS NULL or expires_at > CURRENT_TIMESTAMP) AND ((collections.uuid = 'su92l-4zz18-hll1sflwwh8ogk1')) LIMIT 100 OFFSET 0>
It's not obvious that this is exploitable, but the fact that we're generating an invalid SQL statement without catching the error earlier is very concerning.
Related issues
Updated by Peter Amstutz about 9 years ago
- Description updated (diff)
- Category set to API
Updated by Tom Clegg about 9 years ago
- Subject changed from [API] SQL leak when performing 'select' on invalid field. to [API] Fix SQL error when performing 'select' on invalid field.
Updated by Brett Smith almost 9 years ago
- Subject changed from [API] Fix SQL error when performing 'select' on invalid field. to [API] Validate that selected columns are selectable, and return an error if not
- Target version changed from Bug Triage to 2015-06-10 sprint
- Story points set to 0.5
Updated by Brett Smith almost 9 years ago
- Target version changed from 2015-06-10 sprint to Arvados Future Sprints
Updated by Peter Amstutz almost 3 years ago
- Target version deleted (
Arvados Future Sprints)
Actions