< Issues Create new issue

SQL/NoSQL Injection #94

alexbor 2016-03-02T11:34:28Z - 2 comments
alexbor commented 2016-03-02T11:34:28Z

Is this something that's been thought of yet? Maybe sanitising all query and params on the way in. May need discussion

  • Wanted XS scripts
  • Wanted JS data
  • Special characters
FilipNest commented 2 years ago

This may be hard to do with a modular system but I suppose one solution would be putting parameters into the iris.route system options object. You could do things like type checking, stripping of certain values and all sorts there so you wouldn't actually need a validation block at the top of each POST/GET route. This could be a very useful system in itself. That options object in iris.route seems a perfect place for this.

Or is there general stuff we should always be stripping out in core no matter what? Do we have any particular cases? We're not doing anything like eval, the closest being the entity fetch system which is quite strict as to what it supports already. I wouldn't be surprised if there are risks but I'm not really sure where to start on them. Any pointers?

pau1m commented 2 years ago

OWASP top ten?