this post was submitted on 04 Apr 2024
178 points (96.4% liked)

Open Source

31089 readers
440 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] nutomic@lemmy.ml 10 points 7 months ago* (last edited 7 months ago) (2 children)

Im a former contributor to F-Droid with various merged pull requests. Looking at the indicated pull request I really doubt that it was an intentional attack. First of all its easy to forget for a new developer to escape SQL parameters, and the docs dont even mention a risk of SQL injection attacks. And of the users pushing for the PR to be merged, one is a long-time F-Droid contributor, and the other also looks like a real human with many contributions in other repos, so no sockpuppets in sight.

It simply looks like standard open source behaviour, for better or for worse. A new user makes a contribution for a highly demanded feature, and users want it to get merged as soon as possible. Maintainers are discussing the big picture of the change and want to avoid breaking changes, without getting into code review yet. The new contributor seems unwilling to make any design changes to his PR, and gets frustrated that it doesnt get merged as is. The potential vulnerability is only noticed half a year after the PR was opened, at which point it was already de facto abandoned. So not an attack, but simply a developer who is new to open source and doesnt understand how the process works.

[–] toaster@slrpnk.net 2 points 7 months ago

This makes more sense imo, thanks for sharing your experience (and your Lemmy development :))

[–] ThetaDev@lemmy.dbzer0.com 2 points 7 months ago (1 children)

Plus how would you want to exploit a F-Droid SQL injection vulnerability in the search bar?

AFAIK you cannot trigger searches using URLs, so the user would have to type/paste the SQL into the search field themselves to mess up their database.

[–] nutomic@lemmy.ml 3 points 7 months ago

One of the comments mentions that another app can trigger search through an Android intent. So its better to be safe and close any potential vulnerabilities, but this doesnt seem particularly useful for an attacker.