Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix Neural Solution SQL/CMD injection #1627

Merged
merged 6 commits into from
Feb 27, 2024
Merged

Fix Neural Solution SQL/CMD injection #1627

merged 6 commits into from
Feb 27, 2024

Conversation

Kaihui-intel
Copy link
Contributor

@Kaihui-intel Kaihui-intel commented Feb 23, 2024
edited
Loading

Type of Change

bug fix

Description

security issue:

  1. Through this SQL injection, an attacker can update the q_model_path field (or any other fields) of any task in the database. In the meantime, the API /download/<task_id> can be utilized to download any folder specified by the q_model_path field and there is no filtering or validation in place for this field. The attacker can easily download any content from the host system if they can update the q_model_path field of a task in the database.
  2. The task/submit API in the Neural Solution component of Neural Compressor is vulnerable to this remote code execution (RCE) attack. The script_url parameter in the body of the POST request is not validated or filtered on the backend. As a result, attackers can manipulate this parameter to remotely execute arbitrary commands.

solution:
Add task validation.

Expected Behavior & Potential Risk

the expected behavior that triggered by this PR

How has this PR been tested?

how to reproduce the test (including hardware information)

Dependency Change?

any library dependency introduced or removed

@Kaihui-intel
fix sql injection
df3cab2 
Signed-off-by: Kaihui-intel <[email protected]>
@Kaihui-intel
add docstring
c4b68d2 
Signed-off-by: Kaihui-intel <[email protected]>
@Kaihui-intel Kaihui-intel requested a review from yiliu30 February 23, 2024 09:38
@Kaihui-intel Kaihui-intel changed the title Fix Neural Solution SQL injection Fix Neural Solution SQL/CMD injection Feb 27, 2024
@chensuyue chensuyue merged commit 14b7b0a into master Feb 27, 2024
19 checks passed
@chensuyue chensuyue deleted the kaihui/ns_sql branch February 27, 2024 06:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yiliu30 yiliu30 yiliu30 approved these changes

Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Kaihui-intel @yiliu30 @chensuyue