[SONAR-8462] WS api/rules/repositories does not escape the parameter "q" - SonarSource

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 5.6.4, 6.2
Component/s: Web API
Labels:
- Atlas

Description

The parameter q of WS api/rules/repositories is executed as a regexp, without being escaped. It leads to two vulnerabilities:

log flooding if value is not a valid regexp, for example q=%5B
resource pressure

Attachments

Activity

People

Assignee:: Simon Brandhof (Inactive)

Reporter:: Simon Brandhof (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Due:: 08/Dec/16

Created:: 01/Dec/16 2:09 PM

Updated:: 19/Nov/18 8:52 PM

Resolved:: 01/Dec/16 3:00 PM