Headline
CVE-2021-4298: Adding protection against SQL injection · ndlib/sipity@d1704c7
A vulnerability classified as critical has been found in Hesburgh Libraries of Notre Dame Sipity. This affects the function SearchCriteriaForWorksParameter of the file app/parameters/sipity/parameters/search_criteria_for_works_parameter.rb. The manipulation leads to sql injection. Upgrading to version 2021.8 is able to address this issue. The name of the patch is d1704c7363b899ffce65be03a796a0ee5fdbfbdc. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217179.
Permalink
Browse files
Adding protection against SQL injection
Prior to this commit, the SearchCriteriaForWorksParameter class was to optimistic in the additional_attributes it received. This was “okay” in that these attributes were passed from within the application (and not from user input).
However, I wanted to tighten that up further which is why I added the changes to fetch the attributes from a map.
And even with all of this, [brakeman][1] identified this as a weak chance for SQL injection. So I also added a config/brakeman.yml file to skip over this file. (alas I can’t skip over a singular violation)
[1]:https://rubygems.org/gems/brakeman
- Loading branch information