MAP-1600 Code injection #2362

tobyprivett · 2024-10-08T15:31:54Z

Upgraded CodeQL to use V3.

Refactored controller method to initialize a GenericEvent class from the constant name rather than user input.

- v1 is way out of date

tobyprivett · 2024-10-09T10:25:24Z

Closing this because the input params are validated before reaching this vulnerability:

Line 23 in 0f8c697

 validates_inclusion_of :eventable_type, in: EVENTABLE_TYPES, message: "'%{value}' is not a valid eventable type" 

tobyprivett changed the title ~~[MAP-1600] Code injection~~ MAP-1600 Code injection Oct 8, 2024

tobyprivett force-pushed the MAP-1600-code-injection branch from 98f610c to bcd11f1 Compare October 8, 2024 15:37

Prefer CodeQL v3

6ec0409

- v1 is way out of date

tobyprivett force-pushed the MAP-1600-code-injection branch 2 times, most recently from bcf9350 to 68058c4 Compare October 8, 2024 16:04

tobyprivett marked this pull request as ready for review October 8, 2024 16:08

tobyprivett requested a review from a team as a code owner October 8, 2024 16:08

tobyprivett marked this pull request as draft October 8, 2024 16:19

tobyprivett force-pushed the MAP-1600-code-injection branch from 68058c4 to 6ec0409 Compare October 8, 2024 16:21

Avoid code injection by assigning input param to a constant

854ec73

tobyprivett force-pushed the MAP-1600-code-injection branch from a0b6357 to 854ec73 Compare October 9, 2024 09:56

tobyprivett marked this pull request as ready for review October 9, 2024 10:25

tobyprivett closed this Oct 9, 2024

Provide feedback