[Security] SQL Injection Vulnerability in datasets and tasks routers #281
Description
Describe the bug
A critical security vulnerability was identified in the list_datasets and task lookup functions within the routers. The application was using raw string concatenation (f-strings) to build SQL queries from user-provided input.
This creates a high-risk SQL Injection (SQLi) vulnerability, allowing a malicious user to manipulate the query structure and execute unauthorized database commands, leading to potential data loss or unauthorized access.
To Reproduce
Steps to reproduce the behavior:
- Send a request to the
/datasets/listendpoint. - Provide a
tagparameter containing malicious SQL syntax, for example:
'study_14'); DROP TABLE dataset; -- - Result: The server concatenates this string directly into the query, which would attempt to drop the
datasettable.
Expected behavior
User input must always be treated as data, never as part of the SQL command structure. All database interactions should:
- Use parameterized placeholders (Bind Parameters).
- Strictly validate any dynamic table or column names against a predefined whitelist.
Additional context
This vulnerability was found in the following files:
src/routers/openml/datasets.pysrc/routers/openml/tasks.py
Status: A fix has already been implemented in the branch feature/sql-parameterization and is ready for review.