Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SQL Injection risks in Postgres meta queries #6666

Open
rdimaio opened this issue Apr 10, 2024 · 1 comment
Open

SQL Injection risks in Postgres meta queries #6666

rdimaio opened this issue Apr 10, 2024 · 1 comment
Assignees
@rdimaio
Labels
Security

Comments

@rdimaio
Copy link
Contributor

rdimaio commented Apr 10, 2024

Example problematic query:

rucio/lib/rucio/core/did_meta_plugins/postgres_meta.py

Line 85 in 834a7c0

statement = "SET search_path TO {};".format(db_schema)

From the psycopg2 docs (https://www.psycopg.org/docs/usage.html#the-problem-with-the-query-parameters):

Warning
Never, never, NEVER use Python string concatenation (+) or string parameters interpolation (%) to pass variables to a SQL query string. Not even at gunpoint.

Affected queries should be rewritten in the way proposed here https://stackoverflow.com/questions/45128902/psycopg2-and-sql-injection-security to prevent SQL injections.
@rdimaio rdimaio mentioned this issue Apr 10, 2024
Open
3 tasks
@rdimaio rdimaio self-assigned this Apr 10, 2024
rdimaio added a commit to rdimaio/rucio that referenced this issue Apr 10, 2024
@rdimaio
Security: Refactor PostgreSQL queries to prevent SQL injections; ruci…
d76021a 
…o#6666
rdimaio added a commit to rdimaio/rucio that referenced this issue Apr 10, 2024
@rdimaio
Security: Refactor PostgreSQL queries to prevent SQL injections; ruci…
bacea93 
…o#6666

Main reference: 5https://www.psycopg.org/docs/usage.html#query-parameters
On why the comma is needed for single-element tuples:
https://stackoverflow.com/questions/12876177/how-to-create-a-singleton-tuple-with-only-one-element
rdimaio added a commit to rdimaio/rucio that referenced this issue Apr 10, 2024
@rdimaio
Security: Refactor PostgreSQL queries to prevent SQL injections; ruci…
e7c967a 
…o#6666

Main reference: 5https://www.psycopg.org/docs/usage.html#query-parameters
On why the comma is needed for single-element tuples:
https://stackoverflow.com/questions/12876177/how-to-create-a-singleton-tuple-with-only-one-element
rdimaio added a commit to rdimaio/rucio that referenced this issue Apr 10, 2024
@rdimaio
Security: Refactor PostgreSQL queries to prevent SQL injections; ruci…
d92cd57 
…o#6666

Main reference: 5https://www.psycopg.org/docs/usage.html#query-parameters
On why the comma is needed for single-element tuples:
https://stackoverflow.com/questions/12876177/how-to-create-a-singleton-tuple-with-only-one-element

In the CREATE TABLE IF NOT EXISTS statement, psycopg2.sql must be used:
https://www.psycopg.org/psycopg3/docs/api/sql.html#module-psycopg.sql
@rdimaio rdimaio mentioned this issue Apr 11, 2024
Open
@rdimaio
Copy link
Contributor Author

rdimaio commented Apr 11, 2024

Blocked by #6669

rdimaio added a commit to rdimaio/rucio that referenced this issue Apr 15, 2024
@rdimaio
Security: Refactor PostgreSQL queries to prevent SQL injections; ruci…
e5e0faa 
…o#6666

Main reference: https://www.psycopg.org/docs/usage.html#query-parameters
On why the comma is needed for single-element tuples:
https://stackoverflow.com/questions/12876177/how-to-create-a-singleton-tuple-with-only-one-element
@robbarnsley robbarnsley mentioned this issue May 22, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rdimaio rdimaio

Labels
Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rdimaio