Can user execute update/delete XSS in query? #199

d47081 · 2024-03-21T20:45:11Z

d47081
Mar 21, 2024

I'm using this escaping method:

      $query = $index->search(
        @\Manticoresearch\Utils::escape(
          $q
        )
      );

thoughts allow users make raw requests for extended (sphinx) queries

but they able to delete records from index? for example by doing something like:

...query');DELETE FROM...

as understand, access permissions like in MySQL not implemented in manticore?

Would be nice to allow extended features but worried somebody able to drop the index without escape method

Answered by sanikolaev

$index->search() doesn't use the /sql endpoint (https://manual.manticoresearch.com/Connecting_to_the_server/HTTP#/sql), so it's unlikely there can be an injection which would let you execute DELETE with a specific query. Even if search() used /sql, /sql can only run searches, you'd have to use /sql?mode=raw for everything else (https://manual.manticoresearch.com/Connecting_to_the_server/HTTP#/sql?mode=raw

as understand, access permissions like in MySQL not implemented in manticore?

Correct.

sanikolaev · 2024-03-25T07:22:40Z

$index->search() doesn't use the /sql endpoint (https://manual.manticoresearch.com/Connecting_to_the_server/HTTP#/sql), so it's unlikely there can be an injection which would let you execute DELETE with a specific query. Even if search() used /sql, /sql can only run searches, you'd have to use /sql?mode=raw for everything else (https://manual.manticoresearch.com/Connecting_to_the_server/HTTP#/sql?mode=raw

as understand, access permissions like in MySQL not implemented in manticore?

Correct.

1 reply

Thanks, I will enable this method so as drafted before, but worried to use :)