Security issue: Unsanitized DB connection/write

[bondjimbond]

Security issue identified by DGI:

• Raw usage of $_GET, $_SERVER that then connects directly to a database without sanitation: arks-service/admin/rest.php at 0af91e1 · digitalutsc/arks-service

    if (!empty($_POST['data'][strtoupper('Ark_ID')])) { // any pending data must has Ark_ID column
        $noid = Database::dbopen($_GET["db"], dbpath(), DatabaseInterface::DB_WRITE);

[HyphenHook]

@bondjimbond

Could we get more information regarding what form of sanitation is needed here? We do have a database existence check in place. Also can we get more information regarding security issues with $_SERVER.

[bondjimbond]

I don't really know the details; the issue was reported to me by DGI when they were trying out connections with the arks-service server. Based on this and some other issues identified (e.g. #40) they estimated a lot more work they'd need to do, so I asked them to stop working on it.

[joshdentremont]

I'm guessing they are referring to stuff like this as well: https://github.com/digitalutsc/arks-service/blob/main/admin/rest.php#L127C32-L127C39, which is coming from this: https://github.com/digitalutsc/arks-service/blob/main/admin/rest.php#L31

I don't see anywhere that $_SERVER is being used in database queries.