Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Report #569

Open
scr2em opened this issue Jul 5, 2024 · 1 comment
Open

Security Report #569

scr2em opened this issue Jul 5, 2024 · 1 comment
Labels
needs: triage

Comments

@scr2em
Copy link

scr2em commented Jul 5, 2024

Describe the bug
I have been asked to perform a DAST to my capacitor application, and I got these risks using immuniweb.com
image

This 1 High risk is due to these statements in the code
image

image

Any chance you might be looking into this?
@scr2em
Copy link
Author

scr2em commented Jul 5, 2024

After a 30 minutes investigation, In SQLite, table and column names cannot be parameterized only the values, so we are forced to use string construction but...

We can query the database first to find if there is a table with that name or not, this means the table name will be used as a value here which can be parameterized

SELECT tbl_name FROM sqlite_master WHERE TYPE = 'table' AND tbl_name = ?

The DAST would still fail, but there will be a very good justification

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs: triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@scr2em @robingenz