CVE-2021-4276: Fix potential sql injection through fs path by japroc · Pull Request #190 · dns-stats/hedgehog

Hi there,

Thanks for this report - we appreciate your interest. You’ll have probably noticed that this project is no longer actively maintained (it is superseded by a different DNS-STATS product) but we’ve taken a look at your PR anyway.

The two parameters you identified are generated by reading in directory names on the ‘Data Manager’ server (as described in the User Manual: https://github.com/dns-stats/hedgehog/blob/develop/docs/Hedgehog_User_Guide.pdf). This server is where files from nodes are uploaded to, and so an attacker would need enough access to that server to be able to create a ‘dummy’ directory there in order to compromise those parameters. We don’t provide specific guidance on upload procedures but we do assume that the Data Manager server can only be accessed by authorised users. Because of this, we don’t believe this specific attack is possible without such a compromise of the Data Manager server.

A small aside is that the list of server directories that are processed for data import is limited to those that are already in the database (see https://github.com/dns-stats/hedgehog/blob/develop/tools/refile_and_grok.in#L165), although the list of nodes is not. Servers in the database are restricted to alphanumeric characters and underscores. An additional check could be added in that file to ensure the list of nodes processed is also limited to those already in the database.

However, since your proposed fix is straightforward and harmless, we have accepted it.