Skip to content

SQL Injection?  #15

New issue
New issue
Open
Open
SQL Injection? #15
@Ed-zo

Description

@Ed-zo
Ed-zo
opened on May 14, 2021

Neviem ci sa jedna o dolezity projekt ale mnoho SQL prikazov v routes zlozke dovoluje vykonat SQL Injection. Tu je jeden z nich. Ak to nie je dolezity projekt, issue mozes closnut.

lora-application-server/routes/device.js

Lines 168 to 174 in 94fb7ad

`SELECT ${select} FROM downlink_messages ` +
"LEFT JOIN aps ON aps.id = downlink_messages.ap_id " +
"INNER JOIN nodes ON nodes.id = downlink_messages.node_id " +
"LEFT JOIN applications ON applications.id = downlink_messages.application_id " +
`WHERE downlink_messages.sent = ${sent} AND nodes.id = '${deviceId}' ` +
`ORDER BY ${column} ${order.toUpperCase()}, dev_id ${order.toUpperCase()} ` +
`LIMIT ${rowsPerPage} OFFSET ${rowsPerPage * page - rowsPerPage}`,

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions