Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not to expose SQL queries while passing queries using REST #3

Open
OmkarPathak opened this issue Feb 27, 2019 · 6 comments
Open

Not to expose SQL queries while passing queries using REST #3

OmkarPathak opened this issue Feb 27, 2019 · 6 comments

Comments

@OmkarPathak
Copy link

SQL Queries are exposed while passing payload to https://api-fberry-demo.geex-arts.com/jet_api/sql/. The right way should be to build queries on the go in the backend only. Any specific reason why queries (literally) are passed in payload? Due to this table names in the database are exposed to the world which is a security risk.
@f1nality
Copy link
Contributor

The reason for it now – is that you can create any query on frontend (data analytic for example) without need to address developers for it. Do you suggest to write queires on backend side?

Also if you are using HTTPS than data can't be sniffed.

@OmkarPathak
Copy link
Author

@f1nality Yes I strongly recommend building queries on backend. Although data cannot be sniffed due to HTTPS, people can still see the database names and table names which opens the door for other attacks

@f1nality
Copy link
Contributor

@OmkarPathak yes, but admin panel is not something public. only those you give access will see it. SQL analytics services like https://redash.io/ works the same way. i think a better solution will be to add SQL permission for configuration. so that only who you will give this permission will see table names. SQL queries saved by admins can be encrypted so that thoose who don't have such permission won't see queries text. what do you think?

@OmkarPathak
Copy link
Author

OmkarPathak commented Feb 28, 2019
edited
Loading

@f1nality No you didn't get me. See the below highlighted part in the image:
untitled
We can easily see what query is being passed. This shouldn't be the case

@f1nality
Copy link
Contributor

f1nality commented Mar 3, 2019

@OmkarPathak
yes, that's what i've understood. my idea is to encrypt this query, so only backend can decrypt it. users that will have sql permission will be able to see these queries though.

building queries on backend will eliminate advantage of building queries on frontend, its very handy.

@do-rtk
Copy link

do-rtk commented Aug 1, 2019

I agree with @OmkarPathak you should get rid of this.

While your usecase of allowing users to build queries might be cool, having no way to gate what queries can be constructed is really dangerous. What if I construct a query deleting everything? Also, this creates a workaround for some control measures e.g. Query manager only allows user to see data in their org, but with sql queries, user can simply go around that.

If you really want users to be able to construct something, I'd suggest using building blocks that you can easily control in the backend not SQL. It's incredibly difficult to sanitize and guard SQL. Totally not worth it for the HUGE security loopholes it creates.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@f1nality @OmkarPathak @do-rtk