centreon
[SNYK] Sanitized and bound queries in contactgroup file
Description
Queries should be sanitized (if possible) and bound using PDO statement to reduce attack surface and clean legacy code
Where
www/include/configuration/configObject/contactgroup/DB-Func.php
Lines:
160
150
What
Globally:
sanitize if possible each variables inserted in a query
use PDO prepared statement and bind() method
Do not use $pearDB->escape on which is for examples useless on integers and on non closed HTML tags (svg, img, etc)
Verify that IDs are saved as integers in the database before binding them
Fixes # MON-14667
Type of change
- [x] Patch fixing an issue (non-breaking change)
- [ ] New functionality (non-breaking change)
- [ ] Breaking change (patch or feature) that might cause side effects breaking part of the Software
Target serie
- [x] 21.04.x
- [x] 21.10.x
- [x] 22.04.x
- [x] 22.10.x (master)
How this pull request can be tested ?
Access to “Configuration > Users > Contact Groups” menu
Checklist
Community contributors & Centreon team
- [x] I have followed the coding style guidelines provided by Centreon
- [ ] I have commented my code, especially new classes, functions or any legacy code modified. (docblock)
- [ ] I have commented my code, especially hard-to-understand areas of the PR.
- [x] I have rebased my development branch on the base branch (master, maintenance).
SonarQube Quality Gate
3 Bugs
0 Vulnerabilities
0 Security Hotspots (
100.0% reviewed)
1407 Code Smells
0.0% Coverage
4.4% Duplication
![sonarqube-decoration[bot] avatar](https://avatars.githubusercontent.com/u/11978823?v=4 "Published by a pub.dev verified publisher"){kind=small}