Sanitize Delivery Service Request Comment ID

Fixes CVE-2024-45387: SQL Injection in Traffic Ops endpoint PUT deliveryservice_request_comments.
apache · Sep 27, 2024 · 2212894 · 2212894
1 parent f41b221
commit 2212894
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 10 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,8 +4,7 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 
 ##[8.1.0] - 2024-09-27
-- [#](https://github.com/apache/trafficcontrol/pull/) *Traffic Ops* Fixed nullability issues in `POST /user/reset_password`.
-
+- [#](https://github.com/apache/trafficcontrol/pull/) *Traffic Ops* Fixed nullability issues in `POST /user/reset_password` and Sanitize Delivery Service Request Comment ID to fix [CVE-2024-45387](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45387): SQL Injection in Traffic Ops endpoint PUT deliveryservice_request_comments.
 
 ## [8.0.1] - 2024-03-19
 ### Fixed

diff --git a/traffic_ops/traffic_ops_golang/deliveryservice/request/comment/comments.go b/traffic_ops/traffic_ops_golang/deliveryservice/request/comment/comments.go
@@ -264,6 +264,7 @@ func Get(w http.ResponseWriter, r *http.Request) {
 // Validate is used to ensure that the DeliveryServiceRequestCommentV5 struct passed in to the function is valid.
 func Validate(dsrc tc.DeliveryServiceRequestCommentV5) error {
 	errs := validation.Errors{
+		"id":                       validation.Validate(dsrc.ID, validation.NotNil),
 		"deliveryServiceRequestId": validation.Validate(dsrc.DeliveryServiceRequestID, validation.NotNil),
 		"value":                    validation.Validate(dsrc.Value, validation.NotNil),
 	}
@@ -286,14 +287,21 @@ func Update(w http.ResponseWriter, r *http.Request) {
 		api.HandleErr(w, r, tx, http.StatusBadRequest, err, nil)
 		return
 	}
+	idParam := inf.Params["id"]
+	id, parseErr := strconv.Atoi(idParam)
+	if parseErr != nil {
+		api.HandleErr(w, r, inf.Tx.Tx, http.StatusBadRequest, errors.New("id must be an integer"), nil)
+		return
+	}
+	deliveryServiceRequestComment.ID = id
 
 	if err := Validate(deliveryServiceRequestComment); err != nil {
 		api.HandleErr(w, r, tx, http.StatusBadRequest, err, nil)
 		return
 	}
 
 	var current tc.DeliveryServiceRequestCommentV5
-	err := inf.Tx.QueryRowx(selectQuery() + `WHERE dsrc.id=` + inf.Params["id"]).StructScan(&current)
+	err := inf.Tx.QueryRowx(selectQuery() + `WHERE dsrc.id=` + strconv.Itoa(deliveryServiceRequestComment.ID)).StructScan(&current)
 	if err != nil {
 		api.HandleErr(w, r, tx, http.StatusInternalServerError, nil, errors.New("scanning deliveryservice_request_comment: "+err.Error()))
 		return
@@ -305,13 +313,6 @@ func Update(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	deliveryServiceRequestComment.AuthorID = current.AuthorID
-	idParam := inf.Params["id"]
-	id, parseErr := strconv.Atoi(idParam)
-	if parseErr != nil {
-		api.HandleErr(w, r, inf.Tx.Tx, http.StatusBadRequest, errors.New("id must be an integer"), nil)
-		return
-	}
-	deliveryServiceRequestComment.ID = id
 	userErr, sysErr, sc := api.CheckIfUnModified(r.Header, inf.Tx, id, "deliveryservice_request_comment")
 	if userErr != nil || sysErr != nil {
 		api.HandleErr(w, r, tx, sc, userErr, sysErr)