CSC/ECE 517 Spring 2022 - E2227: SQL Injection Fix

From Expertiza_Wiki
Revision as of 20:46, 21 March 2022 by Lpobrien (talk | contribs)
Jump to navigation Jump to search

This page details project documentation for the CSC/ECE 517 Spring 2022, "E2227 SQL Injection Fix" project.


Background

Expertiza is an open source software system that is used in order to assign projects to students as well as provide a place to submit and review peers.

Many software projects such as expertiza rely on user interactions in order to accomplish the tasks given by their users. With this information input by the users, the software system often must access points in the database. Because of this, it is possible to access parts of the database even if you are not given direct access by inputting SQL language queries to unvalidated inputs. The reason in which this is possible is because many SQL queries rely on Boolean logic. This is a serious security risk for the software system and causes privacy concerns for any and all involved users.

Example

Mentor

Nicholas Himes

Team Members

  • Lawrence O'Brien
  • David Glymph
  • Jacob Anderson

Code Modifications

Described below are the code refactoring tasks and issues addressed by this team. We have also included any pertinent details, reasonings, comments, warnings, etc., corresponding to each task.

Dynamic Finders

The SQL injection issue present in the expertiza source code is caused by an unvalidated SQL query when when searching for sign up topics for assignments requiring topics. The system used the static "find" method which does not validate or in any protect against malicious input. In order to solve this issue we used a find_by method, which forces all input to be used in searching for one specific key in the database rather than allowing additional keys to be accessed using string terminating characters. This solves the issue by preventing unauthorized database access through SQL injection.

Modified Files

  • sign_up_sheet_controller.rb
  • sign_up_sheet_controller_spec.rb

Testing

Running Tests

  rspec spec/controllers/sign_up_sheet_controller_spec.rb

GitHub links and Pull Request

Link to Expertiza repository: here

Link to the forked repository: here

Link to Pull Request: here

Images