CSC/ECE 517 Spring 2022 - E2227: SQL Injection Fix
About Expertiza
Expertiza is a software used for the purposes of allowing students to submit projects for review by instructors as well as other students in the form of peer reviews. It is used primarily by North Carolina State University, and is an open source platform developed in ruby using the rails framework in this repository.
Description of project
The issue addressed by this wiki page is the presence of SQL injection points. Meaning there are points in the Expertiza system in which it is possible to input strings that allow malicious SQL statements to be run on the project database and give a user access to parts of the system in which they should not be able too.
Example
Should there be a space available for input requesting a name field for a user, the user may be able to input John in order to access a user named John. However if this input area is not validated or protected against SQL injections, a user may be able to input ' OR '1'='1 in order to gain access to information related to a user with primary key id of 1.
Files involved
Changes made solely to sign_up_sheet_controller.rb
Solution
TBD