Although I am impressed by the work, I dislike these writeups.<p>In similar bug bounty posts, a user will post all this brilliant setup code, these tools I never heard of to decompile binaries, view source, get through obfuscation, etc.<p>Then, when you get to the meat and bones, they just go "Ok and vulnurability is here, and you exploit it like this. Ta data."<p>It's very anti-climatic, and I don't learn much in the process. I would like to learn more about what your thought process is like after you get the code. How did you narrow your focus on ActiveRecord? Did you just know from seeing it? I would love to learn more. Do expert pen-testers have this checklist of exploits they try?<p>Sorry if it sounds like whiny, I would just love it if these had more meat in the actual finding of the exploit as they did the setup.
It still boggles my mind that sql injection is a thing in 2016, let alone in a modern codebase from a great software company with amazing engineers.<p>Somehow we (the programming profession) are doing this whole thing wrong, and I'm not sure why.
It's hidden way down at the bottom, but I found the Timeline to be my favourite part :)<p>Edit: Can't see to format it correctly, just check the original source.
For those that this website is marked as dangerous <a href="http://webcache.googleusercontent.com/search?q=cache:z7yyaxITRoAJ:blog.orange.tw/2017/01/bug-bounty-github-enterprise-sql-injection.html+&cd=1&hl=en&ct=clnk&gl=uk" rel="nofollow">http://webcache.googleusercontent.com/search?q=cache:z7yyaxI...</a>
I'm curious if the author decompiled binaries generated from C code. In that case, I understand how one could "dis assemble" binaries, but generating readable C code, is that possible?
Glad to see the communication between Orange and GitHub went great. Both did the right thing after discovering the flaw. Orange reported it and GitHub fixed it and allowed Orange to publish a blog post. I have to admit I'm a bit of a fanboy of HackerOne.<p>The custom SQL query is something that is hard to prevent. It is still hard to use ActiveRecord/Arel for everything. I'm sure GitLab is not immune to it.<p>GitHub chooses to encrypt their source code to prevent modifications. Our experience at GitLab is that customer modifications don't cause a lot of extra load on our support team. But of course that might be caused by having different architectures and customers.