From 6bdd5c63ea0818122889d74841d8299a30fd4b40 Mon Sep 17 00:00:00 2001
From: Andreas Svanberg <andreass@dsv.su.se>
Date: Thu, 9 Jan 2025 12:54:43 +0100
Subject: [PATCH] Suppress warning about CVE-2024-49203 (#71)
https://nvd.nist.gov/vuln/detail/CVE-2024-49203
https://github.com/querydsl/querydsl/issues/3757
Basically if you allow untrusted user input to be used in the "ORDER BY" clause you can be vulnerable to SQL injection.
I believe this is nonsense and akin to saying every Java application has a security vulnerability because JDBC allows you to execute arbitrary SQL if you do not properly use PreparedStatement with parameters over a string-concatenated Statement.
Even if this is considered a valid vulnerability we do not, currently, allow untrusted user input to be used in the "ORDER BY" clause.
Fixes #45
Reviewed-on: https://gitea.dsv.su.se/DMC/scipro/pulls/71
Reviewed-by: Tom Zhao <tom.zhao@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
---
owasp.xml | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/owasp.xml b/owasp.xml
index c504d51e0f..125e5e37f6 100644
--- a/owasp.xml
+++ b/owasp.xml
@@ -72,4 +72,22 @@
</notes>
<cve>CVE-2024-23076</cve>
</suppress>
+ <suppress>
+ <notes>
+ https://nvd.nist.gov/vuln/detail/CVE-2024-49203
+ https://github.com/querydsl/querydsl/issues/3757
+
+ Basically if you allow untrusted user input to be used in the "ORDER BY" clause
+ you can be vulnerable to SQL injection.
+
+ I believe this is nonsense and akin to saying every Java application has a
+ security vulnerability because JDBC allows you to execute arbitrary SQL if you
+ do not properly use PreparedStatement with parameters over a string-concatenated
+ Statement.
+
+ Even if this is considered a valid vulnerability we do not, currently, allow
+ untrusted user input to be used in the "ORDER BY" clause.
+ </notes>
+ <cve>CVE-2024-49203</cve>
+ </suppress>
</suppressions>