Skip to content
This repository has been archived by the owner on Oct 21, 2022. It is now read-only.

smart-contracts/Institutions.txt : Database queries being formed with concatenation of strings/stringified values #2

Open
sveeke opened this issue Oct 3, 2018 · 1 comment
Open

smart-contracts/Institutions.txt : Database queries being formed with concatenation of strings/stringified values #2

sveeke opened this issue Oct 3, 2018 · 1 comment

Comments

@sveeke
Copy link

sveeke commented Oct 3, 2018
edited
Loading

Database queries being formed with concatenation of strings/stringified values

In smart-contract module, Institutions.txt file, query is constructed using string concatenation and uses parameters directly, which may lead to query injection issues.

The attack vector is a peer node in the blockchain community - which can send malicious parameters causing SQL injection.

  1. $2 is used by concatenation
    Line 23:"ON CONSTRAINT institutions_pkey DO UPDATE SET name = $2, allowed = true;"
  2. $1 is used by concatenation

Line 26:const changed = await query("UPDATE", "institutions", "SET allowed = false WHERE institution = $1;"
@wdenbakker
Copy link

See #5 (comment).

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wdenbakker @sveeke