[SONAR-8462] WS api/rules/repositories does not escape the parameter "q" - SonarSource

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 5.6.4, 6.2
Component/s: Web API
Labels:
- Atlas

Description

The parameter q of WS api/rules/repositories is executed as a regexp, without being escaped. It leads to two vulnerabilities:

log flooding if value is not a valid regexp, for example q=%5B
resource pressure

Attachments

Activity

People

Assignee:

Simon Brandhof

Reporter:

Simon Brandhof

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Due:

08/Dec/16

Created:

01/Dec/16 2:09 PM

Updated:

19/Nov/18 8:52 PM

Resolved:

01/Dec/16 3:00 PM