*: replace %s
formatting for SQL statements with lexbase.EncodeSQLString throughout the codebase
#69428
Labels
A-security
C-cleanup
Tech debt, refactors, loose ends, etc. Solution not expected to significantly change behavior.
S-3
Medium-low impact: incurs increased costs for some users (incl lower avail, recoverable bad data)
T-sql-foundations
SQL Foundations Team (formerly SQL Schema + SQL Sessions)
T-sql-queries
SQL Queries Team
Projects
Currently, we have various places [1] where we use
fmt.Sprintf()
with%s
to format SQL statements. This is prone to SQL injections bugs. Instead we should be usinglexbase.EncodeSQLString
to properly escape the statements.edit (knz): note that
tree.Name
has aString()
method that already does the right thing, so it's OK to do%s
with atree.Name
. Withstring
, not so much.[1]: for instance (not comprehensive):
cockroach/pkg/sql/delegate/show_schedules.go
Line 55 in 8d4af45
cockroach/pkg/sql/delegate/show_syntax.go
Line 40 in f18f7b8
cockroach/pkg/sql/sqlstats/persistedsqlstats/stmt_reader.go
Line 135 in 08a8eec
Jira issue: CRDB-9593
The text was updated successfully, but these errors were encountered: