Suppress warning about CVE-2024-49203 (#71)

https://nvd.nist.gov/vuln/detail/CVE-2024-49203 https://github.com/querydsl/querydsl/issues/3757 Basically if you allow untrusted user input to be used in the "ORDER BY" clause you can be vulnerable to SQL injection. I believe this is nonsense and akin to saying every Java application has a security vulnerability because JDBC allows you to execute arbitrary SQL if you do not properly use PreparedStatement with parameters over a string-concatenated Statement. Even if this is considered a valid vulnerability we do not, currently, allow untrusted user input to be used in the "ORDER BY" clause. Fixes #45 Reviewed-on: https://gitea.dsv.su.se/DMC/scipro/pulls/71 Reviewed-by: Tom Zhao <tom.zhao@dsv.su.se> Co-authored-by: Andreas Svanberg <andreass@dsv.su.se> Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
2025-01-09 12:54:43 +01:00 · 2025-01-09 12:54:43 +01:00 · 6bdd5c63ea
commit 6bdd5c63ea
parent adf45414d5
1 changed files with 18 additions and 0 deletions
--- a/owasp.xml
+++ b/owasp.xml
@ -72,4 +72,22 @@
        </notes>
        <cve>CVE-2024-23076</cve>
    </suppress>
+    <suppress>
+        <notes>
+            https://nvd.nist.gov/vuln/detail/CVE-2024-49203
+            https://github.com/querydsl/querydsl/issues/3757
+
+            Basically if you allow untrusted user input to be used in the "ORDER BY" clause
+            you can be vulnerable to SQL injection.
+
+            I believe this is nonsense and akin to saying every Java application has a
+            security vulnerability because JDBC allows you to execute arbitrary SQL if you
+            do not properly use PreparedStatement with parameters over a string-concatenated
+            Statement.
+
+            Even if this is considered a valid vulnerability we do not, currently, allow
+            untrusted user input to be used in the "ORDER BY" clause.
+        </notes>
+        <cve>CVE-2024-49203</cve>
+    </suppress>
 </suppressions>