Skip to content

[wall-of-fame]: Finding SQL Injection with CodeQL #849

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
leonnewton opened this issue Nov 7, 2024 · 4 comments
Open

[wall-of-fame]: Finding SQL Injection with CodeQL #849

leonnewton opened this issue Nov 7, 2024 · 4 comments
Labels
wall-of-fame

Comments

@leonnewton
Copy link

leonnewton commented Nov 7, 2024
edited
Loading

Date

2024-08-27

Title

Finding SQL Injeciton in LF Edge eKuiper and Devtron

Author

Yuan Luo

URL

GHSA-r5ph-4jxm-6j9p
GHSA-q78v-cv36-8fxj

CVE

CVE-2024-43406, CVE-2024-45794

Description

Using CodeQL to scan repos to find SQL injections.
@leonnewton leonnewton changed the title [wall-of-fame]: Finding SQL Injection in sqlKvStore of LF Edge eKuiper with CodeQL [wall-of-fame]: Finding SQL Injection with CodeQL Nov 8, 2024
@xcorail
Copy link
Contributor

xcorail commented Mar 21, 2025

Hey @leonnewton
Sorry this has fallen through the cracks ...
There is no write up about the findings, right? Just the advisories?

@leonnewton
Copy link
Author

Hi @xcorail
Yes, there is no additional write up. But there are details about the vulnerabilities in the advisories, e.g., the root cause, Poc code, the source and sink of data flow detected by CodeQL.

@xcorail
Copy link
Contributor

xcorail commented Mar 24, 2025

Hey @leonnewton

Yeah, I can see all those details in the advisories, however, there is no explicit mention that these issues were found with the help of CodeQL (unless I missed it), even if I know that CodeQL could find those.

I wouldn't want to give credit to CodeQL without this explicit mention coming from the reporters (you). As all details are already in the advisories, a very short write-up stating that would suffice, or the addition directly in the advsories.

@github github deleted a comment from ABDULBASITMEHMET May 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
wall-of-fame
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@leonnewton @xcorail