Headline
CVE-2022-31058: request #27166: Naming a field "id" breaks the report · Enalean/tuleap@b91bcd5
Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In versions prior to 13.9.99.95 Tuleap does not sanitize properly user inputs when constructing the SQL query to retrieve data for the tracker reports. An attacker with the capability to create a new tracker can execute arbitrary SQL queries. Users are advised to upgrade. There is no known workaround for this issue.
@@ -41,6 +41,8 @@ // phpcs:ignore PSR1.Classes.ClassDeclaration.MissingNamespace, Squiz.Classes.ValidClassName.NotCamelCaps abstract class Tracker_FormElement_Field extends Tracker_FormElement implements Tracker_Report_Field, Tracker_FormElement_IAcceptFieldVisitor { public const PREFIX_NAME_SQL_COLUMN = 'user_defined_’;
protected $has_errors = false;
/** @@ -203,15 +205,19 @@ public function saveCriteriaValueFromXML(Tracker_Report_Criteria $criteria) $this->updateCriteriaValue($criteria, $value); }
final public function getQuerySelectName(): string { return \Tuleap\DB\DBFactory::getMainTuleapDBConnection()->getDB()->escapeIdentifier(self::PREFIX_NAME_SQL_COLUMN . $this->name); }
/** * Get the “select” statement to retrieve field values * @return string * @see getQueryFrom */ public function getQuerySelect() public function getQuerySelect(): string { $R = ‘R_’ . $this->id; return “$R.value_id AS `” . $this->name . "`"; return "$R.value_id AS " . $this->getQuerySelectName(); }
/** @@ -229,15 +235,15 @@ public function getQueryFrom() /** * Get the “order by” statement to retrieve field values */ public function getQueryOrderby() public function getQueryOrderby(): string { return ‘`’ . $this->name . '`’; return $this->getQuerySelectName(); }
/** * Get the “group by” statement to retrieve field values */ public function getQueryGroupby() public function getQueryGroupby(): string { $R = ‘R_’ . $this->id; return "$R.value_id";