[ADD] sql-injection: Add new check to avoid sql injection #29
Conversation
moylop260
force-pushed
the
master-oca-add-sql-injection-moy
branch
from
abff63a
to
a619d68
Compare
| 'WHERE parent_id IN %s' | ||
| % (tuple(ids),)) | ||
|
|
||
| def sql_injection_method2(self, ids): |
There was a problem hiding this comment.
This one is the same as the method 1. Why putting it?
There was a problem hiding this comment.
You are right!
Thanks for feedback
moylop260
force-pushed
the
master-oca-add-sql-injection-moy
branch
from
a619d68
to
a247588
Compare
moylop260
changed the title
|
👍 |
moylop260
force-pushed
the
master-oca-add-sql-injection-moy
branch
from
a247588
to
3bd7698
Compare
| def sql_injection_method5(self, ids): | ||
| var = 'SELECT name FROM account WHERE id IN %s' | ||
| values = ([1, 2, 3, ], ) | ||
| self._cr.execute(var % values) # sql injection too |
There was a problem hiding this comment.
@moylop260 how does this work exactly. I guess these methods will be called somehow in unit tests ? For now, I don't get how you can be sure that sql_method will not be detected and sql_injection_method will be.
There was a problem hiding this comment.
We have a coverage of 100% here
Maybe you could be interest in review the following material:
There was a problem hiding this comment.
You could see the output of the tests here
pylint_odoo/test_repo/broken_module/models/broken_model.py:93: [E8103(sql-injection), TestModel.sql_injection_method] Use of "%" operator in execute database method. Better use parameters instead. - More info https://github.com/OCA/maintainer-tools/blob/master/CONTRIBUTING.md#no-sql-injection
pylint_odoo/test_repo/broken_module/models/broken_model.py:95: [E8103(sql-injection), TestModel.sql_injection_method] Use of "%" operator in execute database method. Better use parameters instead. - More info https://github.com/OCA/maintainer-tools/blob/master/CONTRIBUTING.md#no-sql-injection
pylint_odoo/test_repo/broken_module/models/broken_model.py:97: [E8103(sql-injection), TestModel.sql_injection_method] Use of "%" operator in execute database method. Better use parameters instead. - More info https://github.com/OCA/maintainer-tools/blob/master/CONTRIBUTING.md#no-sql-injection
pylint_odoo/test_repo/broken_module/models/broken_model.py:110: [E8103(sql-injection), TestModel.sql_injection_method5] Use of "%" operator in execute database method. Better use parameters instead. - More info https://github.com/OCA/maintainer-tools/blob/master/CONTRIBUTING.md#no-sql-injectionWe have a expected number of errors by check here
'sql-injection': 4,I hope to be clear
There was a problem hiding this comment.
@moylop260 ok, I get it, you must check the logs to verify that your test succeded. I'm ok with that.
|
👍 |
moylop260
changed the title
|
Could merge it? |
|
What about: cr.execute('SELECT id FROM %s' % table_name)Which is valid as we are not injecting a value but relation name (injection using params would not work here). |
|
@guewen IMHO here we can use the same criteria like as invalid-commit comment
What do you think? |
moylop260
force-pushed
the
master-oca-add-sql-injection-moy
branch
2 times, most recently
from
5b57677
to
19d60b0
Compare
|
FYI rebased! |
moylop260
force-pushed
the
master-oca-add-sql-injection-moy
branch
from
19d60b0
to
044b883
Compare
…test and controllers
|
@guewen |
|
@guewen |
|
@moylop260 I was busy for a few days. Creative people will use |
|
@guewen Yes, you are right! |
|
@guewen |
|
@pedrobaeza @dreispt |
Note: This is a progressive PR from #28(Now is merged!)Example of comment by @dufresnedavid
