Skip to content

Commit

Permalink
RDISCROWD-7037 SQL Injection Fix (#902)
Browse files Browse the repository at this point in the history 
* apostrophe fix

* fix test

* update replace call
  • Loading branch information
@n00rsy
n00rsy committed Feb 21, 2024
1 parent a1d3ab4 commit 674756f
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 1 deletion.
3 changes: 2 additions & 1 deletion pybossa/sched.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -419,7 +419,8 @@ def reserve_task_sql_filters(project_id, reserve_task_keys, exclude):
filter_list = []
for i in range(0, len(category_fv), 2):
key, value = category_fv[i], category_fv[i + 1]
filter_list.append("task.info->>'{}' = '{}'".format(key, value))
escaped_value = value.replace("'", "''")
filter_list.append("task.info->>'{}' = '{}'".format(key, escaped_value))
filter_dict[category] = "({})".format(" AND ".join(filter_list))

if filter_dict:
Expand Down
9 changes: 9 additions & 0 deletions test/test_reserve_task_category.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,15 @@ def test_task_category_to_sql_filter(self):
"reserve_task:project:202:category:x:1:y:2:z:3:user:1008:task:454"
], "filters, category must be as per keys passed and include negate, NOT IN clause"

# task category key exists, returns sql filter and its associated category_keys
project_id, exclude = "202", False
task_info = dict(name1="john's value", name2="john's baker's value")
expected_sql_filter = " AND ((task.info->>'name1' = 'john''s value' AND task.info->>'name2' = 'john''s baker''s value')) "
reserve_task_keys = ["reserve_task:project:{}:category:name1:john's value:name2:john's baker's value:user:1008:task:454".format(project_id)]
filters, category_keys = reserve_task_sql_filters(project_id, reserve_task_keys, exclude)
assert filters == expected_sql_filter and \
category_keys == reserve_task_keys, "filters, category must be non empty"


@with_context
@patch('pybossa.redis_lock.LockManager.get_task_category_lock')
Expand Down

0 comments on commit 674756f

Please sign in to comment.