Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: improve sql table name validation #3965

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

fix: improve sql table name validation #3965

wants to merge 7 commits into from

Conversation

harshittiwariii
Copy link
Contributor

@harshittiwariii harshittiwariii commented Mar 21, 2024
edited

#3933 fix: improve sql table name validation

issue: #3933

Change 1 - A validation function to ensure that only valid table names are used when constructing queries dynamically in the codebase. ✅

Change 2 - In our latest_schema method, replaced the manual table name checks with a call to this function✅:

 # Use the validation function to check the table name
    if not self.is_valid_table_name(table_name):
        raise ValueError(f"Invalid table name: {table_name}")

Change 3 - Bandit issue addressed in line 269 and 888 i.e; Possible SQL injection vector through string-based query construction.✅

I think bandit is happy now for cvedb.py file :)

Note: I have divided problem in chunks so right now I cleared out cvedb.py file now I will move towards other files also.
Once everything done, I will squash commits no worries ;]

inosmeet
inosmeet reviewed Mar 22, 2024
View reviewed changes
cve_bin_tool/cvedb.py Outdated Show resolved Hide resolved
@harshittiwariii
Copy link
Contributor Author

@terriko
Update: I wasn't well from the past few days.
Here are the few changes I did-
Since, we are using predefined table_names, thus eliminating the possibility of taking user input. Therefore, I have defined table names and based on that I created a validation function to validate table name and then I constructed the query directly using the table names.
Any suggestions and queries are welcomed.
Thank you.

terriko
terriko requested changes Apr 1, 2024
View reviewed changes
Copy link
Contributor

@terriko terriko left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this is failing a number of test jobs because it can't run at all:

 │ ❱  242 │   │   │   │   not self.latest_schema("cve_severity", severity_schem │
│    243 │   │   │   │   or not self.latest_schema("cve_range", range_schema)  │
│    244 │   │   │   │   or not self.latest_schema("cve_exploited", exploit_sc │
│    245 │   │   │   │   # or not self.latest_schema("cve_metrics",cve_metrics │
│                                                                              │
│ /home/runner/work/cve-bin-tool/cve-bin-tool/cve_bin_tool/cvedb.py:288 in     │
│ latest_schema                                                                │
│                                                                              │
│    285 │   │   table_schema.pop()                                            │
│    286 │   │                                                                 │
│    287 │   │   # getting current schema from cve_severity                    │
│ ❱  288 │   │   current_schema = [x[0] for x in result.description]           │
│    289 │   │                                                                 │
│    290 │   │   if table_schema == current_schema:                            │
│    291 │   │   │   schema_latest = True                                      │
╰──────────────────────────────────────────────────────────────────────────────╯
AttributeError: 'list' object has no attribute 'description'

@harshittiwariii
Copy link
Contributor Author

Looks like this is failing a number of test jobs because it can't run at all:

 │ ❱  242 │   │   │   │   not self.latest_schema("cve_severity", severity_schem │
│    243 │   │   │   │   or not self.latest_schema("cve_range", range_schema)  │
│    244 │   │   │   │   or not self.latest_schema("cve_exploited", exploit_sc │
│    245 │   │   │   │   # or not self.latest_schema("cve_metrics",cve_metrics │
│                                                                              │
│ /home/runner/work/cve-bin-tool/cve-bin-tool/cve_bin_tool/cvedb.py:288 in     │
│ latest_schema                                                                │
│                                                                              │
│    285 │   │   table_schema.pop()                                            │
│    286 │   │                                                                 │
│    287 │   │   # getting current schema from cve_severity                    │
│ ❱  288 │   │   current_schema = [x[0] for x in result.description]           │
│    289 │   │                                                                 │
│    290 │   │   if table_schema == current_schema:                            │
│    291 │   │   │   schema_latest = True                                      │
╰──────────────────────────────────────────────────────────────────────────────╯
AttributeError: 'list' object has no attribute 'description'

Thank you for the review @terriko
I am already working on it.

@terriko terriko mentioned this pull request Apr 3, 2024
Merged
terriko
terriko requested changes Apr 3, 2024
View reviewed changes
cve_bin_tool/cvedb.py Outdated Show resolved Hide resolved
@harshittiwariii
Copy link
Contributor Author

@terriko Thanks for reviews. From past 2 days I m not well. I will get back to it as soon as i feel little better.
Apologies for delay.
Regards
Harshit Tiwari

inosmeet added a commit to inosmeet/cve-bin-tool that referenced this pull request Apr 10, 2024
@inosmeet
feat: structure for sql table name validation
f85cd84 
added dictionary to be used for better table name validation. This
will help resolve bandit issues in intel#3965.

Signed-off-by: Meet Soni <meetsoni3017@gmail.com>
terriko pushed a commit that referenced this pull request Apr 10, 2024
@inosmeet
refactor: database schema check (#3968)
1794aac 
added dictionary to be used for better table name validation. This
will help resolve bandit issues in #3965.

---------

Signed-off-by: Meet Soni <meetsoni3017@gmail.com>
@terriko terriko changed the title #3933 fix: improve sql table name validation fix: improve sql table name validation Apr 10, 2024
@terriko
Copy link
Contributor

terriko commented Apr 10, 2024

I think maybe the bandit issue has been resolved with the refactoring of the schema checks in #3968. I'll leave this open so you can decide if there's more to do in terms of improving validation, though.

@terriko terriko closed this Apr 10, 2024
@terriko terriko reopened this Apr 10, 2024
@terriko terriko added awaiting response Need more information from submitter and removed awaiting CI labels Apr 10, 2024
@inosmeet
Copy link
Contributor

I think maybe the bandit issue has been resolved with the refactoring of the schema checks in #3968. I'll leave this open so you can decide if there's more to do in terms of improving validation, though.

Actually, I've just implemented the structure so that @harshittiwariii can go forward with this PR using that.

@inosmeet
Copy link
Contributor

Hey @harshittiwariii!
Continuing after gitter discussion, for rebase you can do interactive rebase.
And then implement something like this comment I made in #3968. Doing so will resolve bandit issues.

@harshittiwariii
Copy link
Contributor Author

I think maybe the bandit issue has been resolved with the refactoring of the schema checks in #3968. I'll leave this open so you can decide if there's more to do in terms of improving validation, though.

I am really sorry for all the delays and everything on this @terriko
Currently I am feeling little bit good.
@terriko I wanted to ask what needs to be done here at this point and what else U want me to do. I will proceed with that.
Since, A lot happened when I was away coz of infection and all.
It would be great if @terriko point me further.
Thank you.
Ps: I want to continue with improvement part.

@terriko
Copy link
Contributor

terriko commented Apr 15, 2024

As @inosmeet says, their changes to fix another issue should make your code easier in the end.

You could git rebase origin/main but since you don't have a huge number of changes, you might find it easier to just make a new branch based on origin/main.

Either way, here's what you need:

  1. Add the function is_valid_table_name, but use the new EMPTY_SELECT_QUERIES instead of your VALID_TABLE_NAMES. Since EMPTY_SELECT_QUERIES is a dictionary, you can use EMPTY_SELECT_QUERIES.keys() to get the list of table names.
  2. Add youris_valid_table_name check as you have it to get_all_records_in_table
  3. make the changes to latest_schema so it also uses EMPTY_SELECT_QUERIES (as @inosmeet described). Translated to use the new variable name it'll look something like this.
if table_name in EMPTY_SELECT_QUERIES.keys():
    query = EMPTY_SELECT_QUERIES [table_name]
    cursor.execute(query)
else:
    # Handle invalid table names
    raise ValueError("Invalid table name")

@terriko terriko removed the awaiting response Need more information from submitter label Apr 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@inosmeet inosmeet inosmeet left review comments

@terriko terriko terriko requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@harshittiwariii @terriko @inosmeet