1182993 - Treeherder SQL Injection

Status: RESOLVED DUPLICATE of bug 1182994

(Websites :: Other, defect)

Description

[David Chan [:dchan]]

The Treeherder API constructs raw SQL queries for certain endpoints. The data is not properly escaped resulting in SQL injection. 

STR:
1. Visit 
https://treeherder.mozilla.org/api/project/mozilla-central/bug-job-map/?offset=%27abcd

Result:
SQL Error indicating successful injection
{"detail": "(1064, \"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''abcd,10' at line 1\")"}

Expected:
No error

This specific bug exists due to the code not properly casting the GET param to an int. [1] There may be more vulnerable API endpoints which call jobs_execute() in [2]

[1] - https://github.com/mozilla/treeherder/blob/12f80ce4486497e33131faeaae19429f1e00ff4e/treeherder/webapp/api/bug.py#L74
[2] -  https://github.com/mozilla/treeherder/blob/12f80ce4486497e33131faeaae19429f1e00ff4e/treeherder/model/derived/jobs.py#L209

Comment 1

[Julien Vehent]

:mcote - is this in your perimeter?

Comment 2

[Mark Côté [:mcote]]

Sort of... CCing the project owner and a core developer.

Comment 3

[David Chan [:dchan]]

@ulfr:

Oh weird... so it looks like the bug was created in the DB when I used the form, but didn't properly set the flag.

The bug is actually resolved in bug 1182994

Comment 4

[Ed Morley [:emorley]]

(In reply to Mark Côté [:mcote] from comment #2)
> Sort of... CCing the project owner and a core developer.

Please can you CC myself and :mdoglio too next time.

This was fixed in bug 1182994 :-)