Medusa: SQL injection vector in KODI notifier

This is a false positive because we don't run this query. We "pass" the query to Kodi to run

It's still potentially an SQL injection vector, just against KODI (with Medusa as the attack vector).

so what do you see as a fix? As we need to send the SELECT

I would have to look at the KODI API to see if there are any alternatives (such as passing the statement and the variables, instead of building the entire statement).

The HTTP API (which uses the SELECT) shouldn't be needed or used for any KODI versions 12 or higher.

@Thraxis so that one is for legacy versions then?

Correct. KODI 12+ uses the JSON-RPC functions

so i think we can remove legacy, agree @Thraxis ?
Kodi is now in v16

Yes... and Kodi is in V17 now with V18 in development.

Kodi 12 was released Jan 29, 2013

I would say split kodi into legacy and 12+ modules and deprecate legacy kodi... its functional so there's no need to remove it

Kodi Eden is from 2012.
Well, imo we would only support new api (12+)
but it's just me

If its currently working, what advantage does cutting it have? Deprecate it so that users know its no longer supported, raise a warning about the above mentioned possible vector, and call it done.

@labrys maybe we should add a warning to their logs or something stating it's outdated and that we recommend updating because of things like this. That way we can keep it as legacy but also work towards the newer more secure version.

Code already have the newer version

@OmgImAlexis that's what I meant about raising a warning about the mentioned possible vector
@fernandog Yes but going forward we should split them so that any future code can ignore the legacy stuff