Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #43703 Remove all usages of MD5 in cross tracker search
    Infos
    #43703
    Thomas Gerbet (tgerbet)
    2025-11-18 22:01
    2025-07-09 16:32
    45411
    Details
    Remove all usages of MD5 in cross tracker search

    Currently MD5 is being used in cross tracker search as a way to transform field names in order to prevent injection in the queries via the aliases. This is not an appropriate usage, EasyDB::escapeIdentifier should be used instead.

    Additional note: this is the proper fix for request #43345.

    Cross tracker search
    All
    Empty
    • [ ] enhancement
    • [x] internal improvement
    Empty
    Stage
    Empty
    Closed
    2025-07-23
    Attachments
    Empty
    References
    Referencing request #43703

    Git commit

    tuleap/tuleap/stable

    fix: request #43703 Remove all usages of MD5 in cross tracker search f32f44c83f
    User avatar Clarisse Deschamps (cdeschamps) , 2025-07-23 16:52
    Merge 'gerrit #35057' into stable/master 0039454569
    User avatar Thomas Gerbet (tgerbet) , 2025-07-23 17:50
    Display settings

    Follow-ups

    User avatar
    Joris MASSON (jmasson)2025-07-11 16:20

    Indeed. Fields with the same name are not allowed in a given tracker, so it was good enough

    User avatar
    Thomas Gerbet (tgerbet)2025-07-11 15:37

    It also does not prevent collisions: the same name will give you the same hash.

    User avatar
    Joris MASSON (jmasson)2025-07-11 15:30

    For the record, the main goal was not so much to prevent injection but more to prevent alias name collisions in the SQL queries. Given that we can select N string fields, we cannot use a fixed alias for the DB tables related to string fields.

    User avatar
    Thomas Gerbet (tgerbet)2025-07-09 16:36
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes