Fix SQL injection in biobank DAO selectInstances and cascade update#10676
Open
HenriRabalais wants to merge 1 commit into
Open
Fix SQL injection in biobank DAO selectInstances and cascade update#10676HenriRabalais wants to merge 1 commit into
HenriRabalais wants to merge 1 commit into
Conversation
2b8fe0e to
50cafd1
Compare
ridz1208
approved these changes
Jun 23, 2026
Contributor
|
Following for once it is on 28.0-release |
7023824 to
e959bad
Compare
Collaborator
Author
|
@skarya22 done! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Brief summary of changes
Fixes SQL injection in the biobank module's DAO layer. The
selectInstancesmethods in the container, specimen, pool, and shipment DAOs built their WHERE
clauses by concatenating
$condition['value']directly into the query stringand passed an empty parameter array to
pselectWithIndexKey. User-suppliedvalues reaching these methods (e.g. a container
barcodeorshipmentBarcodesvia the container endpoint) could break out of the quoted string and inject
arbitrary SQL.
Both reported exploits hit the same DAO code through different fields:
barcode->containerdao::selectInstances(via container validation)shipmentBarcodes->shipmentdao::selectInstances(via shipment validation)All four
selectInstancesmethods now bind values to named placeholders andpass them through to
pselectWithIndexKey. Column names are left interpolatedas before, since every caller supplies them as hardcoded literals, never from
user input.
Additionally,
containerdao::_cascadeToChildrenbuilt anUPDATE ... SET $field=$valuequery with the value interpolated raw.$valueoriginates fromuser-submitted container data (temperature, status, center), so this was a
second injection point on the same endpoint. It now binds the value via a
prepared statement.
Testing instructions
a
barcodeofa" AND extractvalue(1,concat(0x7e,(SELECT @@version)))-- -.information, and that the injected value is treated as a literal barcode.
shipments; cascade a temperature/status/center change to child containers)
and confirm behaviour is unchanged.
Link to any issues this addresses
Reported via the Programme privé de prime aux bogues du Gouvernement du Québec
(YesWeHack). Internal refs: RITM0025010, RITM0024993.