Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix GQL injection vulnerability #1134

Merged
merged 9 commits into from
Jul 2, 2024
Merged

Fix GQL injection vulnerability #1134

merged 9 commits into from
Jul 2, 2024

Conversation

tsmith023
Copy link
Contributor

@tsmith023 tsmith023 commented Jun 28, 2024
edited
Loading

This PR fixes a vulnerability present in the .graphql namespace methods of the weaviate.Client object since v3.23.0 whereby \ characters were not escaped appropriately allowing for malicious plain-text strings in .with_where to query database-wide data

Closes:

@tsmith023 tsmith023 mentioned this pull request Jun 28, 2024
Closed
@tsmith023 tsmith023 changed the title Add test attempting to demostrate the GQL injection vulnerability Fix GQL injection vulnerability Jul 2, 2024
@tsmith023 tsmith023 marked this pull request as ready for review July 2, 2024 08:53
@tsmith023 tsmith023 requested a review from a team as a code owner July 2, 2024 08:53
@tsmith023 tsmith023 requested a review from dirkkul July 2, 2024 08:53
@dirkkul dirkkul merged commit d99cfc3 into stable/v3 Jul 2, 2024
26 of 27 checks passed
@dirkkul dirkkul deleted the v3/gql-query-injection branch July 2, 2024 09:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dirkkul dirkkul dirkkul approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tsmith023 @dirkkul