fix: possible unauthenticated SQL injection when login #1383

jczhong84 · 2023-12-08T00:04:18Z

when sending an object insdie the username like:

POST /ds/login/ HTTP/1.1
Host: localhost:10001

{"username":{"test":1},"password":"test"}

will get

"(pymysql.err.ProgrammingError) (1064, \"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''test': '1'} \\n LIMIT 1' at line 3\")\n[SQL: SELECT user.password AS user_password, user.id AS user_id, user.username AS user_username, user.fullname AS user_fullname, user.email AS user_email, user.profile_img AS user_profile_img, user.deleted AS user_deleted, user.is_group AS user_is_group, user.properties AS user_properties \nFROM user \nWHERE user.username = %(username_1)s \n LIMIT %(param_1)s]\n[parameters: {'username_1': {'test': 1}, 'param_1': 1}]\n(Background on this error at: https://sqlalche.me/e/14/f405)",
  "host": "2297766a08be",
  "traceback": "Traceback (most recent call last):\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/engine/base.py\", line 1819, in _execute_context\n    self.dialect.do_execute(\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/engine/default.py\", line 732, in do_execute\n    cursor.execute(statement, parameters)\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/cursors.py\", line 148, in execute\n    result = self._query(query)\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/cursors.py\", line 310, in _query\n    conn.query(q)\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/connections.py\", line 548, in query\n    self._affected_rows = self._read_query_result(unbuffered=unbuffered)\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/connections.py\", line 775, in _read_query_result\n    result.read()\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/connections.py\", line 1156, in read\n    first_packet = self.connection._read_packet()\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/connections.py\", line 725, in _read_packet\n    packet.raise_for_error()\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/protocol.py\", line 221, in raise_for_error\n    err.raise_mysql_exception(self._data)\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/err.py\", line 143, in raise_mysql_exception\n    raise errorclass(errno, errval)\npymysql.err.ProgrammingError: (1064, \"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''test': '1'} \\n LIMIT 1' at line 3\")\n\nThe above exception was the direct cause of the following exception:\n\nTraceback (most recent call last):\n  File \"/opt/querybook/querybook/server/app/datasource.py\", line 84, in handler\n    results = fn(**kwargs)\n  File \"/opt/querybook/querybook/server/app/auth/password_auth.py\", line 50, in login_user_endpoint\n    user = authenticate(username, password, session=session)\n  File \"/opt/querybook/querybook/server/app/db.py\", line 136, in func\n    return fn(*args, **kwargs)\n  File \"/opt/querybook/querybook/server/app/auth/password_auth.py\", line 35, in authenticate\n    user = get_user_by_name(username, session=session)\n  File \"/opt/querybook/querybook/server/app/db.py\", line 136, in func\n    return fn(*args, **kwargs)\n  File \"/opt/querybook/querybook/server/logic/user.py\", line 35, in get_user_by_name\n    return User.get(username=username, session=session)\n  File \"/opt/querybook/querybook/server/app/db.py\", line 136, in func\n    return fn(*args, **kwargs)\n  File \"/opt/querybook/querybook/server/lib/sqlalchemy/__init__.py\", line 77, in get\n    return query.first()\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/orm/query.py\", line 2819, in first\n    return self.limit(1)._iter().first()\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/orm/query.py\", line 2903, in _iter\n    result = self.session.execute(\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/orm/session.py\", line 1712, in execute\n    result = conn._execute_20(statement, params or {}, execution_options)\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/engine/base.py\", line 1631, in _execute_20\n    return meth(self, args_10style, kwargs_10style, execution_options)\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/sql/elements.py\", line 332, in _execute_on_connection\n    return connection._execute_clauseelement(\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/engine/base.py\", line 1498, in _execute_clauseelement\n    ret = self._execute_context(\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/engine/base.py\", line 1862, in _execute_context\n    self._handle_dbapi_exception(\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/engine/base.py\", line 2043, in _handle_dbapi_exception\n    util.raise_(\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/util/compat.py\", line 208, in raise_\n    raise exception\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/engine/base.py\", line 1819, in _execute_context\n    self.dialect.do_execute(\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/engine/default.py\", line 732, in do_execute\n    cursor.execute(statement, parameters)\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/cursors.py\", line 148, in execute\n    result = self._query(query)\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/cursors.py\", line 310, in _query\n    conn.query(q)\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/connections.py\", line 548, in query\n    self._affected_rows = self._read_query_result(unbuffered=unbuffered)\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/connections.py\", line 775, in _read_query_result\n    result.read()\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/connections.py\", line 1156, in read\n    first_packet = self.connection._read_packet()\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/connections.py\", line 725, in _read_packet\n    packet.raise_for_error()\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/protocol.py\", line 221, in raise_for_error\n    err.raise_mysql_exception(self._data)\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/err.py\", line 143, in raise_mysql_exception\n    raise errorclass(errno, errval)\nsqlalchemy.exc.ProgrammingError: (pymysql.err.ProgrammingError) (1064, \"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''test': '1'} \\n LIMIT 1' at line 3\")\n[SQL: SELECT user.password AS user_password, user.id AS user_id, user.username AS user_username, user.fullname AS user_fullname, user.email AS user_email, user.profile_img AS user_profile_img, user.deleted AS user_deleted, user.is_group AS user_is_group, user.properties AS user_properties \nFROM user \nWHERE user.username = %(username_1)s \n LIMIT %(param_1)s]\n[parameters: {'username_1': {'test': 1}, 'param_1': 1}]\n(Background on this error at: https://sqlalche.me/e/14/f405)\n

* fix: possible unauthenticated SQL injection when login * add to api layer * update ldap_auth

jczhong84 added 3 commits December 8, 2023 00:03

fix: possible unauthenticated SQL injection when login

d93ddf3

add to api layer

d007cd5

update ldap_auth

2c56431

czgu approved these changes Dec 8, 2023

View reviewed changes

czgu merged commit 7214963 into pinterest:master Dec 8, 2023
3 checks passed

aidenprice pushed a commit to arrowtail-precision/querybook that referenced this pull request Jan 3, 2024

fix: possible unauthenticated SQL injection when login (pinterest#1383)

788acf8

* fix: possible unauthenticated SQL injection when login * add to api layer * update ldap_auth

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: possible unauthenticated SQL injection when login #1383

fix: possible unauthenticated SQL injection when login #1383

jczhong84 commented Dec 8, 2023

fix: possible unauthenticated SQL injection when login #1383

fix: possible unauthenticated SQL injection when login #1383

Conversation

jczhong84 commented Dec 8, 2023