• nutomicA
    link
    fedilink
    arrow-up
    10
    ·
    edit-2
    8 months ago

    Im a former contributor to F-Droid with various merged pull requests. Looking at the indicated pull request I really doubt that it was an intentional attack. First of all its easy to forget for a new developer to escape SQL parameters, and the docs dont even mention a risk of SQL injection attacks. And of the users pushing for the PR to be merged, one is a long-time F-Droid contributor, and the other also looks like a real human with many contributions in other repos, so no sockpuppets in sight.

    It simply looks like standard open source behaviour, for better or for worse. A new user makes a contribution for a highly demanded feature, and users want it to get merged as soon as possible. Maintainers are discussing the big picture of the change and want to avoid breaking changes, without getting into code review yet. The new contributor seems unwilling to make any design changes to his PR, and gets frustrated that it doesnt get merged as is. The potential vulnerability is only noticed half a year after the PR was opened, at which point it was already de facto abandoned. So not an attack, but simply a developer who is new to open source and doesnt understand how the process works.

    • ThetaDev@lemmy.dbzer0.com
      link
      fedilink
      arrow-up
      2
      ·
      8 months ago

      Plus how would you want to exploit a F-Droid SQL injection vulnerability in the search bar?

      AFAIK you cannot trigger searches using URLs, so the user would have to type/paste the SQL into the search field themselves to mess up their database.

      • nutomicA
        link
        fedilink
        arrow-up
        3
        ·
        8 months ago

        One of the comments mentions that another app can trigger search through an Android intent. So its better to be safe and close any potential vulnerabilities, but this doesnt seem particularly useful for an attacker.