Replies: 1 comment 1 reply
-
Great question! I've always looked at pyparsing as a way to implement a bespoke parser, as a tactic for preventing various attacks based on eval(). fourFn.py was a very early implementation of this, but pyparsing has evolved over time. I wrote Even so, I've felt that I'll follow up with some more details on these - I am about to be late for a meeting! |
Beta Was this translation helpful? Give feedback.
-
I have the unfortunate business requirement of allowing users to type arbitrary math expressions and send them to our SQL database. Granted these are not full SQL queries; we just give them control over math expressions within SELECT or WHERE clauses. Think WHERE (column_a + column_b) / (100 * column_c).
In order to validate and prevent injection, simple SQL parameterization doesn't work here. Statements are arbitrary, with any number of parenthesis or operations.
Using pyparser (based on the fourFn.py template) to validate these expressions seems like the best solution so far. We can very strictly define which symbols are allowed, validate the column names exist, then swap out the column names with random non-zero values and check if the expression is syntactically valid. Extending the parser to allow more complicated functions or operations is trivial.
Other solutions involve:
Running some simple SQL injection fuzzing, pyparser has so far passed with flying colors. It feels like a good solution given the circumstances. But I'm wondering if theres any known vulnerabilities that we might not be aware of, or edge cases that make this not acceptable to use as an input sanitizer.
Beta Was this translation helpful? Give feedback.
All reactions