Three years ago, #FDroid had a similar kind of attempt as the #xz #backdoor. A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn't found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a #SQLinjection #vuln. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think its relevant now
@eighthave Interesting. However, with a project that relies on string concatenation for producing SQL queries rather than prepared statements – this kind of thing is to be expected, most likely it was an honest mistake. The issue was also fairly obvious, someone attempting to introduce it maliciously should have expected it to be caught.
@WPalant Because the submitter deleted their account as a response to the review, I think it could be an deliberate attempt to insert the vuln. Plus all the attention from random new accounts. If it had been a normal review process, I could see how it could have been an honest mistake. But that scenario also makes it more attractive to the attacker, since making a mistake there is quite plausible, and could serve as an easy cover story.
@eighthave @WPalant It sounds like the person got frustrated and left the project after trying for four months to have their changes approved. From reading the thread, I don’t blame them.