You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
The Upload ID path parameter for the GET api/report/uploadId/{uploadId} does not have sufficient sensitization, allowing arbitrary SQL commands to be run against the target database. Certain values can be used for this path parameter in the request that should result in a 400 but instead alter the SQL query being run, or run a separate query all together.
Impact
This bug has a medium impact since this endpoint is not exposed publicly, and is not being used by any other users, apps, or services at the time of writing this.
To Reproduce
Steps to reproduce the behavior:
Send an HTTP GET request to https://ocio-ede-prd-pstatus-api.azurewebsites.net/api/report/uploadId/123' OR 1=1-- while on the CDC network
In this example, by adding a single quote after the ID, I'm able to append an OR clause that always evaluates to true to the query so it returns reports no matter what I put for the upload ID. This can be expanded to running any SQL commands by adding a semi-colon followed by the command you want to run.
Expected behavior
PS API returns a 400 saying that the upload ID was invalid. Instead it returns a list of reports, and says these reports belong to something with the upload ID of "123' OR 1=1--"
Screenshots
Actual behavior:
Expected behavior:
Logs
If applicable, please attach logs to help describe your problem.
Desktop (please complete the following information):
OS: [e.g. iOS]
Browser [e.g. chrome, safari]
Version [e.g. 22]
Smartphone (please complete the following information):
Describe the bug
The Upload ID path parameter for the
GET api/report/uploadId/{uploadId}does not have sufficient sensitization, allowing arbitrary SQL commands to be run against the target database. Certain values can be used for this path parameter in the request that should result in a 400 but instead alter the SQL query being run, or run a separate query all together.Impact
This bug has a medium impact since this endpoint is not exposed publicly, and is not being used by any other users, apps, or services at the time of writing this.
To Reproduce
Steps to reproduce the behavior:
https://ocio-ede-prd-pstatus-api.azurewebsites.net/api/report/uploadId/123' OR 1=1--while on the CDC networkIn this example, by adding a single quote after the ID, I'm able to append an OR clause that always evaluates to true to the query so it returns reports no matter what I put for the upload ID. This can be expanded to running any SQL commands by adding a semi-colon followed by the command you want to run.
Expected behavior
PS API returns a 400 saying that the upload ID was invalid. Instead it returns a list of reports, and says these reports belong to something with the upload ID of "123' OR 1=1--"
Screenshots
Actual behavior:
Expected behavior:
Logs
If applicable, please attach logs to help describe your problem.
Desktop (please complete the following information):
Smartphone (please complete the following information):
Additional context
The SQL query that uses the path parameter value is generated here: https://github.com/CDCgov/data-exchange-processing-status/blob/develop/processing-status-api-function-app/src/main/kotlin/gov/cdc/ocio/processingstatusapi/functions/reports/GetReportFunction.kt#L58
It appears that this pattern of building SQL query strings is used in many places in the PS API codebase.
The text was updated successfully, but these errors were encountered: