Patch #35073

escape values in LIKE statements to prevent injection of placeholders (_ or %)

Added by Jens Krämer 2 months ago. Updated about 1 month ago.

Status:NewStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Database
Target version:-

Description

While not technically a security risk, LIKE queries with lots of placeholders can result in high database load, very slow query execution and therefore are a possible vector for denial of service attacks. Further, escaping the wildcard characters in actual query values now allows to actually search for values containing these characters.

The attached patches, which have been extracted from Planio are:

  • The first patch removes '%' signs from query strings used in the search test case. These did not matter until now since they just resulted in queries like field LIKE '%%value%%', but now would be looking for a value with literal percent signs. Tests pass before and after that change.
  • Patches 2-4 add sanitize_sql_like calls to the various places where we currrently generate sql LIKE statements. Corresponding tests are included.
  • The last patch is just a cosmetic change that replaces a .send with a direct call since the called method is now public.

0005-sanitize_sql_for_conditions-is-now-public.patch Magnifier (1.02 KB) Jens Krämer, 2021-04-12 08:44

0004-use-sanitize_sql_like-in-Query-sql_contains.patch Magnifier (1.75 KB) Jens Krämer, 2021-04-12 08:44

0003-use-sanitize_sql_like-in-like-scopes.patch Magnifier (6.13 KB) Jens Krämer, 2021-04-12 08:44

0002-use-sanitize_sql_like-on-search-tokens.patch Magnifier (2.34 KB) Jens Krämer, 2021-04-12 08:44

0001-removes-signs-from-test-strings-in-search-test.patch Magnifier (1.16 KB) Jens Krämer, 2021-04-12 08:44


Related issues

Related to Redmine - Feature #13347: Filtering by issue subject with wildcard New
Related to Redmine - Defect #19786: '%' and '_' are treated as SQL wildcards in issue filter New

History

#1 Updated by Go MAEDA 2 months ago

  • Related to Feature #13347: Filtering by issue subject with wildcard added

#2 Updated by Go MAEDA 2 months ago

  • Related to Defect #19786: '%' and '_' are treated as SQL wildcards in issue filter added

#3 Updated by Go MAEDA about 1 month ago

I actually find the current behavior useful. For example, when I search for photos using the "File" filter, I use the query string "dsc%.jpg".

If Redmine prohibits the inclusion of "_" or "%" in the query string, then I want some alternative.

Also available in: Atom PDF