[hpoe]

Given many of the engineers i have worked with and much more importantly the PMs and Managers that work over them, I would expect vulnerabilities like this to proliferate all over the place if people were to roll their own logging and telematry and especially authentication.

I mean SQL injection is such an easy known mitigation yet is still on the OWASP top 10 even after so many years.

[ineedasername]

Yes, people still forget to

  ; delete from comments where id = 29544262 */--

sanitize their inputs.

...still there?

[mypalmike]

The humor here is that sanitizing inputs is not the proper mitigation.

[mro_name]

but? It think it's far deeper than mitigation, it's the solution.

Edit: I apologize for getting 'sanitation' wrong. Don't do it.

[AnotherGoodName]

For databases you simply parametize the inputs so that code is code and data is data and there's no mixing of the two.

Sanitization is a defence of last resort when you simply can't separate code and data. Usually used for user content on the web since HTML has no formal mechanism to separate code and data because the angled brackets that do this separation are also valid user input.

But databases do have a way to separate the query from the data. Parametize your queries.

[mro_name]

Indeed. That's enforced system boundaries.

[jdlshore]

The proper solution to SQL injection is parameterized queries, not input sanitization, to my knowledge.

[drunkpotato]

The irony here is that if you use the log4j equivalent of parameterized queries, parameterized logging strings, you're still vulnerable to this CVE, even if you did everything right.

[benhoyt]

> sanitize their inputs.

For anyone confused about why "sanitizing your inputs" isn't the right approach, please read (shameless self-promotion, but I think the concept is important): https://benhoyt.com/writings/dont-sanitize-do-escape/

[ineedasername]

I've pretty much always taken 'sanitize' as a catch-all for all of the things you need to do.

[benhoyt]

Fair enough on that part. But it's the "their inputs" part that's just as problematic: whatever massaging you do to your "inputs", they'll always be unsafe in some contexts. You need to encode/escape your output.

[mro_name]

it's all about system boundaries. Would you have arbitrary racoons in your closet?

[ineedasername]

It seems like you're saying that I should let the racoons out of my closet. I'll consider it, but then getting my clothes every morning will be a lot less exciting.