Uploaded image for project: 'SonarQube'
  1. SonarQube
  2. SONAR-8461

WS api/languages/list does not escape the parameter "q"

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 5.6.4, 6.2
    • Component/s: Web API
    • Labels:

      Description

      The parameter "q" of WS api/languages/list is executed as a regexp, without being escaped. It leads to two vulnerabilities:

      • log flooding if value is not a valid regexp, for example q=%5B
      • resource pressure

        Attachments

          Activity

            People

            • Assignee:
              simon.brandhof Simon Brandhof
              Reporter:
              simon.brandhof Simon Brandhof
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Due:
                Created:
                Updated:
                Resolved: