[FINERACT-1338] SQL Injection - While "runreports" api is trying to load report parameters - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Resolved
Affects Version/s: None
Fix Version/s: None
Component/s: None
Labels:
None

Description

After solving the error at ~~FINERACT-1336~~ a new error shows up.

while api - runreports
fineract-provider/api/v1/runreports/OfficeIdSelectOne?parameterType=true
is spooling the report parameters, user will not see any error on the UI

but looking through the console OR postman you see error below

{ "developerMessage": "The request was invalid. This typically will happen due to validation errors which are provided.", "httpStatusCode": "400", "defaultUserMessage": "Unexpected SQL Commands found", *"userMessageGlobalisationCode": "error.msg.found.sql.injection"* }

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

image-2021-03-31-15-53-00-571.png
31/Mar/21 15:53
16 kB
Francis Guchie
image-2021-04-04-15-56-40-189.png
04/Apr/21 12:56
117 kB
Joseph Makara

Issue Links

incorporates

FINERACT-969 Run OWASP zaproxy.org against Fineract (e.g. fineract.dev)

Open

is fixed by

FINERACT-1345 Fix runreports

Resolved

is part of

FINERACT-854 Use prepared statements instead of string concatenated SQL everywhere

In Progress

Activity

People

Assignee:: Francis Guchie

Reporter:: Francis Guchie

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 31/Mar/21 15:53

Updated:: 01/May/21 08:00

Resolved:: 04/Apr/21 22:09