Skip to content
This repository was archived by the owner on Apr 20, 2023. It is now read-only.

MYSQL-80 Remove plugin .json file for version 2.0.26 from the code repository, MYSQL-78 Support latest dvp version 3.1.0, MYSQL-59 Security -> Password field on UI can be used to inject SQL queries #21

Merged
merged 3 commits into from
Jan 18, 2023
Merged

MYSQL-80 Remove plugin .json file for version 2.0.26 from the code repository, MYSQL-78 Support latest dvp version 3.1.0, MYSQL-59 Security -> Password field on UI can be used to inject SQL queries #21

merged 3 commits into from
Jan 18, 2023

Conversation

@gmanhas23
Copy link
Collaborator

@gmanhas23 gmanhas23 commented Jan 16, 2023
edited
Loading

…ueries

Problem

  1. Remove plugin .json file for version 2.0.26 from the code repository

  2. Plugin should be supported with latest dvp version 3.1.0, corresponding to Python 2.7

  3. User is able to inject SQL queries using password field in both Linking and Provisioning wizard. Bug created https://delphix.atlassian.net/browse/MYSQL-59

Solution

  1. Remove plugin .json file for version 2.0.26 from the code repository
  2. Added a new required schema for DVP 3.1.0 Snapshot Parameters Definition.
  3. Disallowed spaces, single quotes and double quotes from the UI for password strings.

Testing Done

Tested with the query strings on dsource and VDB creation pages and user is not able to write SQL queries onto the textbox in UI

@gmanhas23 gmanhas23 changed the title MYSQL-59 Security -> Password field on UI can be used to inject SQL q… MYSQL-78 Support latest dvp version 3.1.0, MYSQL-59 Security -> Passw… Jan 17, 2023
@gmanhas23 gmanhas23 changed the title MYSQL-78 Support latest dvp version 3.1.0, MYSQL-59 Security -> Passw… MYSQL-78 Support latest dvp version 3.1.0, MYSQL-59 Security -> Password field on UI can be used to inject SQL queries Jan 17, 2023
@gmanhas23
MYSQL-80 Remove plugin .json file for version 2.0.26 from the code re…
4aac3d4 
…pository, MYSQL-78 Support latest dvp version 3.1.0, MYSQL-59 Security -> Password field on UI can be used to inject SQL queries
@gmanhas23 gmanhas23 changed the title MYSQL-78 Support latest dvp version 3.1.0, MYSQL-59 Security -> Password field on UI can be used to inject SQL queries MYSQL-80 Remove plugin .json file for version 2.0.26 from the code repository, MYSQL-78 Support latest dvp version 3.1.0, MYSQL-59 Security -> Password field on UI can be used to inject SQL queries Jan 17, 2023
batrankit
batrankit reviewed Jan 18, 2023
View reviewed changes
batrankit
batrankit reviewed Jan 18, 2023
View reviewed changes
batrankit
batrankit reviewed Jan 18, 2023
View reviewed changes
@gmanhas23 gmanhas23 merged commit e22f417 into delphix:develop Jan 18, 2023
vinaybyrappa pushed a commit that referenced this pull request Jan 25, 2023
@gmanhas23
MYSQL-80 Remove plugin .json file for version 2.0.26 from the code re…
07bb1dc 
…pository, MYSQL-78 Support latest dvp version 3.1.0, MYSQL-59 Security -> Password field on UI can be used to inject SQL queries (#21)

* MYSQL-59 Security -> Password field on UI can be used to inject SQL queries

* MYSQL-78 Support latest dvp version 3.1.0, MYSQL-59 Security -> Password field on UI can be used to inject SQL queries

* MYSQL-80 Remove plugin .json file for version 2.0.26 from the code repository, MYSQL-78 Support latest dvp version 3.1.0, MYSQL-59 Security -> Password field on UI can be used to inject SQL queries
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

2 more reviewers

@batrankit batrankit batrankit approved these changes

@vinaybyrappa vinaybyrappa vinaybyrappa approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gmanhas23 @batrankit @vinaybyrappa