fix: issue 1928 #1932
fix: issue 1928 #1932
Conversation
|
The reason I went for parentheses around all values was to avoid any possibility of missing a dangerous value. It works properly for true query parameters. But as reported in #1928, it can break where the parameter is not actually a query parameter as PostgreSQL understands it. With non-actual query parameters in mind, I don't think that parentheses are the right approach, even if only done for negative values. It is entirely possible for a I think the actual approach is even simpler. Instead of wrapping with parentheses, wrap with spaces. That would prevent the accidental construction of a As far as the escape strings go, I don't think that is actually necessary. A PostgreSQL literal string is allowed to have newlines or any other character aside from |
|
The space solution is an interesting one. I went to escape strings because that seemed like it would prevent other attacks we haven't thought of involving new lines, and because it makes the log of those queries much cleaner since they then don't log with newlines. The other solution I considered was using the join of strings to substitute newlines with a pasted escaped newline.
|
|
|
||
| // Convert problematic line breaks to escape form | ||
| // See: https://www.postgresql.org/docs/9.0/sql-syntax-lexical.html Table 4.1 | ||
| if strings.ContainsAny(str, "\b\f\n\r\t") { |
There was a problem hiding this comment.
In the scenario where the value has both a line break AND a - prefix, we get an invalid E('value') instead of (E'value')
|
I ended up going for the space approach. |
This PR fixes the issues raised in #1928 and should prevent any other attacks using whitespace tricks as raised in the vulnerability report which initial prompted the breaking parenthesis addition.
It uses postgresql escape strings to prevent whitespace embedded in a value from being passed through to the SQL parser.
See: https://www.postgresql.org/docs/9.0/sql-syntax-lexical.html for information on this extension.