bitwarden/server
1
0
Fork 0
mirror of https://github.com/bitwarden/server synced 2025-12-25 12:43:14 +00:00
Code Issues Releases Wiki Activity

Additional sanitization

Browse Source
This commit is contained in:
Mark Kincaid
2025-11-05 10:50:45 -08:00
parent c99a6d1a5a
commit 51d68ba5e4
4 changed files with 66 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
util/Seeder/Migration/Databases/MariaDbImporter.cs
View File

@@ -128,7 +128,12 @@ public class MariaDbImporter(DatabaseConfig config, ILogger<MariaDbImporter> log
using var reader = command.ExecuteReader();
while (reader.Read())
{
columns.Add(reader.GetString(0));
var colName = reader.GetString(0);
// Validate column name immediately to prevent second-order SQL injection
IdentifierValidator.ValidateOrThrow(colName, "column name");
columns.Add(colName);
}
return columns;

21
util/Seeder/Migration/Databases/PostgresImporter.cs
View File

@@ -127,7 +127,12 @@ public class PostgresImporter(DatabaseConfig config, ILogger<PostgresImporter> l
using var reader = command.ExecuteReader();
if (reader.Read())
{
return reader.GetString(0);
var actualTableName = reader.GetString(0);
// Validate table name immediately to prevent second-order SQL injection
IdentifierValidator.ValidateOrThrow(actualTableName, "table name");
return actualTableName;
}
return null;
@@ -159,7 +164,12 @@ public class PostgresImporter(DatabaseConfig config, ILogger<PostgresImporter> l
using var reader = command.ExecuteReader();
while (reader.Read())
{
columns.Add(reader.GetString(0));
var colName = reader.GetString(0);
// Validate column name immediately to prevent second-order SQL injection
IdentifierValidator.ValidateOrThrow(colName, "column name");
columns.Add(colName);
}
return columns;
@@ -190,7 +200,12 @@ public class PostgresImporter(DatabaseConfig config, ILogger<PostgresImporter> l
using var reader = command.ExecuteReader();
while (reader.Read())
{
columnTypes[reader.GetString(0)] = reader.GetString(1);
var colName = reader.GetString(0);
// Validate column name immediately to prevent second-order SQL injection
IdentifierValidator.ValidateOrThrow(colName, "column name");
columnTypes[colName] = reader.GetString(1);
}
return columnTypes;

11
util/Seeder/Migration/Databases/SqlServerExporter.cs
View File

@@ -92,7 +92,12 @@ public class SqlServerExporter(DatabaseConfig config, ILogger<SqlServerExporter>
var tables = new List<string>();
while (reader.Read())
{
tables.Add(reader.GetString(0));
var tableName = reader.GetString(0);
// Validate table name immediately to prevent second-order SQL injection
IdentifierValidator.ValidateOrThrow(tableName, "table name");
tables.Add(tableName);
}
_logger.LogInformation("Discovered {Count} tables: {Tables}", tables.Count, string.Join(", ", tables));
@@ -143,6 +148,10 @@ public class SqlServerExporter(DatabaseConfig config, ILogger<SqlServerExporter>
while (reader.Read())
{
var colName = reader.GetString(0);
// Validate column name immediately to prevent second-order SQL injection
IdentifierValidator.ValidateOrThrow(colName, "column name");
var dataType = reader.GetString(1);
var isNullable = reader.GetString(2);
var maxLength = reader.IsDBNull(3) ? (int?)null : reader.GetInt32(3);

44
util/Seeder/Migration/Databases/SqlServerImporter.cs
View File

@@ -87,7 +87,12 @@ public class SqlServerImporter(DatabaseConfig config, ILogger<SqlServerImporter>
using var reader = command.ExecuteReader();
while (reader.Read())
{
columns.Add(reader.GetString(0));
var colName = reader.GetString(0);
// Validate column name immediately to prevent second-order SQL injection
IdentifierValidator.ValidateOrThrow(colName, "column name");
columns.Add(colName);
}
return columns;
@@ -123,7 +128,12 @@ public class SqlServerImporter(DatabaseConfig config, ILogger<SqlServerImporter>
using var reader = command.ExecuteReader();
while (reader.Read())
{
columnTypes[reader.GetString(0)] = reader.GetString(1);
var colName = reader.GetString(0);
// Validate column name immediately to prevent second-order SQL injection
IdentifierValidator.ValidateOrThrow(colName, "column name");
columnTypes[colName] = reader.GetString(1);
}
return columnTypes;
@@ -274,11 +284,16 @@ public class SqlServerImporter(DatabaseConfig config, ILogger<SqlServerImporter>
while (reader.Read())
{
constraints.Add((
reader.GetString(0),
reader.GetString(1),
reader.GetString(2)
));
var schema = reader.GetString(0);
var table = reader.GetString(1);
var constraint = reader.GetString(2);
// Validate all identifiers immediately to prevent second-order SQL injection
IdentifierValidator.ValidateOrThrow(schema, "schema name");
IdentifierValidator.ValidateOrThrow(table, "table name");
IdentifierValidator.ValidateOrThrow(constraint, "constraint name");
constraints.Add((schema, table, constraint));
}
_logger.LogDebug("Found {Count} constraints to re-enable from tracking table", constraints.Count);
@@ -399,11 +414,16 @@ public class SqlServerImporter(DatabaseConfig config, ILogger<SqlServerImporter>
{
while (reader.Read())
{
constraints.Add((
reader.GetString(0),
reader.GetString(1),
reader.GetString(2)
));
var schema = reader.GetString(0);
var table = reader.GetString(1);
var constraint = reader.GetString(2);
// Validate all identifiers immediately to prevent second-order SQL injection
IdentifierValidator.ValidateOrThrow(schema, "schema name");
IdentifierValidator.ValidateOrThrow(table, "table name");
IdentifierValidator.ValidateOrThrow(constraint, "constraint name");
constraints.Add((schema, table, constraint));
}
}