-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2019-18413. Patch for potential SQL injections #137
CVE-2019-18413. Patch for potential SQL injections #137
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"The acceptance criterium for this PR is that every request made from the frontend must not result in a 400 Bad Request if they worked before this solution. That might be indicative of missing validation."
Almost every request works as wanted, but the details page of a user group results in a 400 bad request. Url is ../admin/permissions/{id}. It looks like it isn't able to find the users connected to the user group.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good - and no more error 400! Good job.
* Feature/IOT_16_MulticastBackend (#132) * Made CRUD operationer for multicast. Tested with frontend. * Made CRUD for multicast in backend plus connection to chirpStack. * Changed chirpstack applicationID since there will always only be one. * Split multicast in two entities so it's easier to expand later. Made a new entity called lorawanMulticastDefinition which will contain the informations about a lorawan multicast * made functionality so devices now will be added to chirpstack if they are a lorawan device. Also made the update functionality, so a device will be removed if it's not a part of the new multicast * Send message. Possible to get current message queue and to overwrite it * Made validation for service profile. Devices should only be added to multicast if they alle have same service profile. * PR changes * PR changes - fixed pagination for multicast * PR Changes * PR Changes * Pr changes Co-authored-by: August Andersen <[email protected]> * Db migrations (#133) * Made migrations. Now it's nessesary to add migrations when changes are made in db. The command - npm run typeorm migration:generate -- -n <migrationName> - will generate a migration file if changes are made compared to the db. When you launch the app, a migration:run command will be called. This will apply the newly migration. If you want to revert a migration, npm run typeorm migration:revert can be called. It will revert the latest migration. If you are in doubt which migrations has been called or not, you can write npm run typeorm migration:show. This will show you the pending/fulfilled migrations. * Since migrations are made in prestart, no need to check on dist. * PR Changes * PR changes Co-authored-by: August Andersen <[email protected]> * Migrations changes in ormconfig file to make migrations possible in test environment * Initial migration (#134) * Initial migration * Fix proper linting ignore of migrations * Changed ormconfig.ts to .js so dist folder is created correctly. Minor changes in package.json. Removed multicast from initialmigration and made a seperate migration with multicast. Co-authored-by: augusthjerrild <[email protected]> * Feature/1220 api key (#136) * Init api key auth with hardcoded keys * Added TODOs. Throw 401 if api key is invalid * Fix roles metadata not set on class controller * Fetch api keys and sort. Prepare for create and update * Api key fetch and create done * Cleanup api key flow. Remove update flow for now * Validate api key access * Works - typeerror when building * Fixed circular dependency error * Added API guard to relevant controllers * Fix indentation. Delete unused auth api key request Co-authored-by: Aram Al-Sabti <[email protected]> Co-authored-by: nlg <[email protected]> * Fix roles in controllers where it was set on the whole class (#139) * Edit API keys (#138) * Add option for editing API key * Fix API keys with admin not having write access * Edit API key PR * Clean up API key * CVE-2019-18413. Patch for potential SQL injections (#137) * CVE-2019-18413. Patch for potential SQL injections * Fix request 400 on get applications by permission * Spell organization with British English ("z") * Simplified migration names * Optimize chirpstack calls when fetching devices (#143) * FIWARE datatarget (#141) * Fiware DataTarget Support * Migration for Fiware Datatarget * Fixing incorrect log message * PR Fixes * Optimize bulk import and the load on chirpstack (#140) * Adjust eslint * Modify bulk import create to take batches. Update missing * Remove restriction on devices belonging to the same application * Optimize chirpstack calls. Init updatemany endpoint. * Implement updateMany and cleanup * Fix device model not set. Cleanup code. Add comments * Refactor iot device helpers * Make device model error code more specific * Added comment every time invalid devices are filtered * Fixed issue when creating new IoT device with no device model * Fixed Fiware datatarget headers declarations and corresponding unit tests (#144) Co-authored-by: August Andersen <[email protected]> Co-authored-by: Aram Al-Sabti <[email protected]> Co-authored-by: nlg <[email protected]> Co-authored-by: Bartek <[email protected]>
A vulnerability exists in the packages
class-transformer
and, by extension,class-validator
. It has been patched inclass-transformer
, butclass-validator
has an ongoing issue on this. For now, the solution is to setforbidUnknownValues
.All the changes in this PR are the result of setting
forbidUnknownValues
in nestjs.ts. From now on, developers must ensure that the body of POST and PUT requests is properly validated. If not, then a 400 exception will be thrown.The acceptance criterium for this PR is that every request made from the frontend must not result in a 400 Bad Request if they worked before this solution. That might be indicative of missing validation.
Related frontend PR