CSC/ECE 517 Spring 2022 - E2227: SQL Injection Fix

From Expertiza_Wiki
Revision as of 19:48, 16 March 2022 by Lpobrien (talk | contribs) (Created page with "== About Expertiza== [http://expertiza.ncsu.edu/ Expertiza] is a software used for the purposes of allowing students to submit projects for review by instructors as well as ot...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

About Expertiza

Expertiza is a software used for the purposes of allowing students to submit projects for review by instructors as well as other students in the form of peer reviews. It is used primarily by North Carolina State University, and is an open source platform developed in ruby using the rails framework in this repository.

Description of project

The issue addressed by this wiki page is the presence of SQL injection points. Meaning there are points in the Expertiza system in which it is possible to input strings that allow malicious SQL statements to be run on the project database and give a user access to parts of the system in which they should not be able too.

Example

Should there be a space available for input requesting a name field for a user, the user may be able to input John in order to access a user named John. However if this input area is not validated or protected against SQL injections, a user may be able to input ' OR '1'='1 in order to gain access to information related to a user with primary key id of 1.

Files involved

Changes made solely to sign_up_sheet_controller.rb

Solution