You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
Application firewalls following the OWASP core ruleset (coreruleset.org) scan for SQL injection attempts and trigger on valid Espo traffic. Not all firewalls can be tuned to intelligently allow for eg regexps to override the SQL injection rules.
Describe the solution you'd like
Prefer not to use SQL keywords as "select" and "where". Maybe change to "sel" and "whr" in ControllerUtil.
Optional you may consider filing a request for an exemption rule.
Describe alternatives you've considered
For now only disabling the SQL injection detection rule which is not preferred.
Related : Azure WAF (Web application Firewall) false positive :
Upgrading extensions or uploading files may trigger the rule
"Request body length (excluding file upload fields) exceeded the limit"
This is because files are base64 encoded in the request body, not as regular attachment uploads.
Just be aware that if you are running behind an application gateway, that these errors may produce silent application fails with only a short "error 403" message.
Suggested : the client could report this type of intermediate errors back to the application server. Currently they just disappear in the rejection logs of Application Gateways that may not be under your control.
Is your feature request related to a problem? Please describe.
Application firewalls following the OWASP core ruleset (coreruleset.org) scan for SQL injection attempts and trigger on valid Espo traffic. Not all firewalls can be tuned to intelligently allow for eg regexps to override the SQL injection rules.
Example URL that triggers false positive :
https://espocrm.local/api/v1/Report?select=name%2CentityType%2Ctype%2CassignedUserId%2CassignedUserName%2CcategoryId%2CcategoryName&maxSize=100&offset=0&orderBy=name&order=asc&where%5B0%5D%5Battribute%5D=categoryId&where%5B0%5D%5Btype%5D=isNull
Describe the solution you'd like
Prefer not to use SQL keywords as "select" and "where". Maybe change to "sel" and "whr" in ControllerUtil.
Optional you may consider filing a request for an exemption rule.
Describe alternatives you've considered
For now only disabling the SQL injection detection rule which is not preferred.
Additional context
https://coreruleset.org/installation/
The text was updated successfully, but these errors were encountered: