This repository has been archived by the owner on Oct 21, 2022. It is now read-only.
smart-contracts/Metadata.txt : Database queries being formed with concatenation of strings/stringified values #1
Comments
|
See #5 (comment). |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Database queries being formed with concatenation of strings/stringified values
In smart-contract module, Metadata.txt file, query is constructed using string concatenation and uses parameters directly, which may lead to query injection issues.
The attack vector is a peer node in the blockchain community - which can send malicious parameters causing SQL injection.
$1 is used by concatenation
Line 15: const entity = await query("SELECT", "entities", "WHERE entity = $1;", [from]);
Line 24: const institution = await query("SELECT", "institutions", "WHERE institution = $1;"
$1, $2 and $2 are used by concatenation
Line 30: const changed = await query("UPDATE", "badgeclasses", "SET metadata = $3 WHERE class = $1 AND first_endorser = $2;", [payload.badgeClass, from, payload.metadata]);
The text was updated successfully, but these errors were encountered: