*: replace %s formatting for SQL statements with lexbase.EncodeSQLString throughout the codebase

[Azhng]

Currently, we have various places [1] where we use fmt.Sprintf() with %s to format SQL statements. This is prone to SQL injections bugs. Instead we should be using lexbase.EncodeSQLString to properly escape the statements.

edit (knz): note that tree.Name has a String() method that already does the right thing, so it's OK to do %s with a tree.Name. With string, not so much.

---

[1]: for instance (not comprehensive):

• cockroach/pkg/sql/delegate/show_schedules.go

  Line 55 in 8d4af45

  "executor_type = '%s'", tree.ScheduledBackupExecutor.InternalName()))

• cockroach/pkg/sql/delegate/show_syntax.go

  Line 40 in f18f7b8

  &query, "SELECT @1 AS %s, @2 AS %s FROM (VALUES ",

• cockroach/pkg/sql/sqlstats/persistedsqlstats/stmt_reader.go

  Line 135 in 08a8eec

  query = fmt.Sprintf("%s ORDER BY %s", query, strings.Join(orderByColumns, ","))

Jira issue: CRDB-9593

[knz]

@Azhng you're missing a hyperlink I think? Can you add it?

cc @catj-cockroach - can you put this on the seceng radar?

[knz]

NB: @petermattis has implemented a framework for CC managed-service that helps fix this. Peter, can you point the participants here to the code you've authored? thx

[petermattis]

https://github.com/cockroachlabs/managed-service/tree/master/pkg/safesql

[RichardJCai]

Ideally we could have a linter for this but that's pretty hard to do.

Another idea is to update our randomized testing framework to try doing SQL injection attacks on show commands and see if parse ever fails with the error that we're trying to parse multiple statements and our injection attack can contain crdb_internal.panic()