-
Notifications
You must be signed in to change notification settings - Fork 301
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SQL Injection risks in Postgres meta queries #6666
Labels
Comments
3 tasks
rdimaio
added a commit
to rdimaio/rucio
that referenced
this issue
Apr 10, 2024
rdimaio
added a commit
to rdimaio/rucio
that referenced
this issue
Apr 10, 2024
…o#6666 Main reference: 5https://www.psycopg.org/docs/usage.html#query-parameters On why the comma is needed for single-element tuples: https://stackoverflow.com/questions/12876177/how-to-create-a-singleton-tuple-with-only-one-element
rdimaio
added a commit
to rdimaio/rucio
that referenced
this issue
Apr 10, 2024
…o#6666 Main reference: 5https://www.psycopg.org/docs/usage.html#query-parameters On why the comma is needed for single-element tuples: https://stackoverflow.com/questions/12876177/how-to-create-a-singleton-tuple-with-only-one-element
rdimaio
added a commit
to rdimaio/rucio
that referenced
this issue
Apr 10, 2024
…o#6666 Main reference: 5https://www.psycopg.org/docs/usage.html#query-parameters On why the comma is needed for single-element tuples: https://stackoverflow.com/questions/12876177/how-to-create-a-singleton-tuple-with-only-one-element In the CREATE TABLE IF NOT EXISTS statement, psycopg2.sql must be used: https://www.psycopg.org/psycopg3/docs/api/sql.html#module-psycopg.sql
Blocked by #6669 |
rdimaio
added a commit
to rdimaio/rucio
that referenced
this issue
Apr 15, 2024
…o#6666 Main reference: https://www.psycopg.org/docs/usage.html#query-parameters On why the comma is needed for single-element tuples: https://stackoverflow.com/questions/12876177/how-to-create-a-singleton-tuple-with-only-one-element
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Example problematic query:
rucio/lib/rucio/core/did_meta_plugins/postgres_meta.py
Line 85 in 834a7c0
From the
psycopg2
docs (https://www.psycopg.org/docs/usage.html#the-problem-with-the-query-parameters):Affected queries should be rewritten in the way proposed here https://stackoverflow.com/questions/45128902/psycopg2-and-sql-injection-security to prevent SQL injections.
The text was updated successfully, but these errors were encountered: