Added basic protection for SQL-injections

idlesign · Mar 13, 2020 · 6fa3507 · 6fa3507
1 parent ab91200
commit 6fa3507
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 5 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -2,6 +2,11 @@ pg_analyse changelog
 ====================
 
 
+Unreleased
+----------
++ Added basic protection for SQL-injections.
+
+
 v0.2.2 [2020-03-12]
 -------------------
 * Fix. Repack with SQLs previously missing.

diff --git a/pg_analyse/inspections/base.py b/pg_analyse/inspections/base.py
@@ -60,12 +60,16 @@ def _tpl_read(self) -> str:
     def get_sql(self) -> str:
         """Returns SQL ready to be executed."""
 
-        out = self._tpl_read()
+        # Here we replace ":var"-like param placeholders
+        # with "%(var)s"-like acceptable for psycopg2,
+        # escaping % with %%.
+
+        out = self._tpl_read().replace('%', '%%')
         aliases = self.params_aliases
 
         for name, value in self.arguments.items():
             name_sql = aliases.get(name, name)
-            out = out.replace(f':{name_sql}', f"'{value}'")
+            out = out.replace(f':{name_sql}', f'%({name})s')
 
         return out
 

diff --git a/pg_analyse/toolbox.py b/pg_analyse/toolbox.py
@@ -32,10 +32,10 @@ def __init__(self, *, dsn: str = ''):
 
         self.dsn = dsn
 
-    def _sql_exec(self, *, connection, sql: str) -> InspectionResult:
+    def _sql_exec(self, *, connection, sql: str, params: dict) -> InspectionResult:
 
         with connection.cursor() as cursor:
-            cursor.execute(sql)
+            cursor.execute(sql, params)
             columns = [column.name for column in cursor.description]
             rows = cursor.fetchall()
 
@@ -68,7 +68,8 @@ def run(self, *, only: TypeOnly = None, arguments: TypeInspectionsArgs = None) -
 
                     inspection.result = self._sql_exec(
                         connection=connection,
-                        sql=inspection.get_sql()
+                        sql=inspection.get_sql(),
+                        params=inspection.arguments,
                     )
 
                     results.append(inspection)