Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[REF] CONTRIBUTING.md: Add section for "don't bypass the ORM" #183

Merged
merged 1 commit into from
Mar 16, 2016
Merged

[REF] CONTRIBUTING.md: Add section for "don't bypass the ORM" #183

merged 1 commit into from
Mar 16, 2016

Conversation

moylop260
Copy link
Contributor

Important section extracted from: odoo/coding_guidelines_framework

@moylop260 moylop260 mentioned this pull request Mar 12, 2016
Closed
2 tasks
eLBati
eLBati reviewed Mar 14, 2016
View reviewed changes
CONTRIBUTING.md
# very very wrong
cr.execute('select id from auction_lots where auction_id in (' +
','.join(map(str, ids)) + ') and state=%s and obj_price>0',
('draft',))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assuming ids to be a list of integers, how can injection be made here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you don't have a constraint validating that the value must be a list of integer we are susceptible to sql injection with concatenate.

The sql injection is explain better here

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@eLBati
FYI I have created follow script to understand the real issue of sql injection:
https://github.com/vauxoo-dev/gist-vauxoo/blob/master/sql_injection.py

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@moylop260 thanks

nhomar added a commit that referenced this pull request Mar 16, 2016
@nhomar
Merge pull request #183 from vauxoo-dev/master-oca-no-bypass-orm-moy
81060fc 
[REF] CONTRIBUTING.md: Add section for "don't bypass the ORM"
@nhomar nhomar merged commit 81060fc into OCA:master Mar 16, 2016
@nhomar nhomar deleted the master-oca-no-bypass-orm-moy branch March 16, 2016 13:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@moylop260 @eLBati @nhomar