Bug #12458: Facts search vulnerable to SQL injection - Foreman

Bug #12458

Facts search vulnerable to SQL injection

Added by Dominic Cleal over 7 years ago. Updated over 4 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Dominic Cleal

Category:

Security

Target version:

1.10.0

Difficulty:

Triaged:

Bugzilla link:

Pull request:

https://github.com/theforeman/foreman/pull/2908

Fixed in Releases:

Found in Releases:

Red Hat JIRA:

Description

The search for facts and also hosts by facts is vulnerable to SQL injection by breaking out of quotes in either the fact name or the fact value.

Hosts search term: facts.bobby'tables = test

SQLite3::SQLException: near "tables": syntax error: SELECT  "hosts".*
FROM "hosts" INNER JOIN fact_values fact_values_66 ON (hosts.id =
fact_values_66.host_id) INNER JOIN fact_names fact_names_66 ON
(fact_names_66.id = fact_values_66.fact_name_id) WHERE "hosts"."type" 
IN ('Host::Managed') AND ((fact_names_66.name = 'bobby'tables' AND
fact_values_66.value = 'test')) ORDER BY "hosts"."name" ASC LIMIT 40
OFFSET 0

Hosts search term: facts.test = a'b

SQLite3::SQLException: near "b": syntax error: SELECT  "hosts".* FROM
"hosts" INNER JOIN fact_values fact_values_62 ON (hosts.id =
fact_values_62.host_id) INNER JOIN fact_names fact_names_62 ON
(fact_names_62.id = fact_values_62.fact_name_id) WHERE "hosts"."type" 
IN ('Host::Managed') AND ((fact_names_62.name = 'test' AND
fact_values_62.value = 'a'b')) ORDER BY "hosts"."name" ASC LIMIT 40
OFFSET 0

The host search by facts mechanism was extended in #11150 to support integer comparisons, and in the process the custom SQL that was added doesn't escape non-integer values when it constructs the query.

This was added in Foreman 1.10.0, so only the current release candidates are affected.

CVE identifier requested.

Related issues