-
-
Notifications
You must be signed in to change notification settings - Fork 166
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ADD] sql-injection: Add new check to avoid sql injection #29
[ADD] sql-injection: Add new check to avoid sql injection #29
Conversation
abff63a
to
a619d68
Compare
'WHERE parent_id IN %s' | ||
% (tuple(ids),)) | ||
|
||
def sql_injection_method2(self, ids): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This one is the same as the method 1. Why putting it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are right!
Thanks for feedback
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
a619d68
to
a247588
Compare
👍 |
2 similar comments
👍 |
👍 |
a247588
to
3bd7698
Compare
def sql_injection_method5(self, ids): | ||
var = 'SELECT name FROM account WHERE id IN %s' | ||
values = ([1, 2, 3, ], ) | ||
self._cr.execute(var % values) # sql injection too |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@moylop260 how does this work exactly. I guess these methods will be called somehow in unit tests ? For now, I don't get how you can be sure that sql_method will not be detected and sql_injection_method will be.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You could see the output of the tests here
pylint_odoo/test_repo/broken_module/models/broken_model.py:93: [E8103(sql-injection), TestModel.sql_injection_method] Use of "%" operator in execute database method. Better use parameters instead. - More info https://github.com/OCA/maintainer-tools/blob/master/CONTRIBUTING.md#no-sql-injection
pylint_odoo/test_repo/broken_module/models/broken_model.py:95: [E8103(sql-injection), TestModel.sql_injection_method] Use of "%" operator in execute database method. Better use parameters instead. - More info https://github.com/OCA/maintainer-tools/blob/master/CONTRIBUTING.md#no-sql-injection
pylint_odoo/test_repo/broken_module/models/broken_model.py:97: [E8103(sql-injection), TestModel.sql_injection_method] Use of "%" operator in execute database method. Better use parameters instead. - More info https://github.com/OCA/maintainer-tools/blob/master/CONTRIBUTING.md#no-sql-injection
pylint_odoo/test_repo/broken_module/models/broken_model.py:110: [E8103(sql-injection), TestModel.sql_injection_method5] Use of "%" operator in execute database method. Better use parameters instead. - More info https://github.com/OCA/maintainer-tools/blob/master/CONTRIBUTING.md#no-sql-injection
We have a expected number of errors by check here
'sql-injection': 4,
I hope to be clear
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@moylop260 ok, I get it, you must check the logs to verify that your test succeded. I'm ok with that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you
👍 |
Could merge it? |
What about: cr.execute('SELECT id FROM %s' % table_name) Which is valid as we are not injecting a value but relation name (injection using params would not work here). |
@guewen IMHO here we can use the same criteria like as invalid-commit comment
What do you think? |
5b57677
to
19d60b0
Compare
FYI rebased! |
19d60b0
to
044b883
Compare
…test and controllers
@guewen |
@guewen |
@moylop260 I was busy for a few days. Creative people will use |
@guewen Yes, you are right! |
@guewen |
@pedrobaeza @dreispt |
Note: This is a progressive PR from #28(Now is merged!)Example of comment by @dufresnedavid
![screen shot 2016-05-18 at 9 07 28 am](https://cloud.githubusercontent.com/assets/6644187/15361664/07d11e72-1cd8-11e6-90b8-f1efe3a06164.png)