Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUG | Unsafe WHERE condition #32

Closed
v1a0 opened this issue Jun 18, 2021 · 1 comment
Closed

BUG | Unsafe WHERE condition #32

v1a0 opened this issue Jun 18, 2021 · 1 comment
Labels
bug Something isn't working or doesn't seems to work right help wanted Extra attention is needed
Projects
sqllex-kanban

Comments

@v1a0
Copy link
Owner

v1a0 commented Jun 18, 2021

In case when WHERE condition generating by SQLite3xSearchCondition and have str value in other argument it's just inserting inline in SQL-script.
But it have to be added to stmt.request.values and then executed safely:

cur.execute(stmt.request.script, stmt.request.values)

Unsafe case

users.update(
        {
            id_col: id_col + 2
        },
        WHERE=(name_col == 'Alex')   # might be SQL-injection instead "Alex"
class SQLite3xSearchCondition(str):
    ...
    def _str_gen(self, value, operator: str):
        if type(value) == str:
            return SQLite3xSearchCondition(
                f"({self}{operator}'{value}')"  # unsafe!
            )
        else:
            return SQLite3xSearchCondition(
                f"({self}{operator}{value})"
            )
@v1a0 v1a0 added bug Something isn't working or doesn't seems to work right help wanted Extra attention is needed labels Jun 18, 2021
@v1a0 v1a0 added this to To do in sqllex-kanban Jun 29, 2021
v1a0 added a commit that referenced this issue Jul 26, 2021
@v1a0
v0.1.10.5b
a6c6f3d 
- Fixed (security) issue #32
- update_stmt remastering: script_gens got 2 new funcs update_script, update_values (moved from update_stmt and cached)
- SQLite3xColumn changed to universal AbstractColumn
- SQLite3xSearchCondition changed to universal SearchCondition
- From AbstractColumn removed \_\_list\_\_ method, prop .table changet from AbstractTable to str
@v1a0
Copy link
Owner Author

v1a0 commented Jul 26, 2021

Fixed since v0.1.10.5b, will be released with sqllex v0.2

@v1a0 v1a0 closed this as completed Sep 19, 2021
sqllex-kanban automation moved this from To do to Done Sep 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working or doesn't seems to work right help wanted Extra attention is needed
Projects
sqllex-kanban
Done
Milestone
No milestone
Development

No branches or pull requests
1 participant
@v1a0