Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

escape pgsql field and values generated by buildGetCondition #577

Merged
merged 1 commit into from
Feb 8, 2022
Merged

escape pgsql field and values generated by buildGetCondition #577

merged 1 commit into from
Feb 8, 2022

Conversation

displague
Copy link
Member

Description

SQL column names and values should be escaped. Go does not offer a generic function for this (as it tends to be SQL dialect specific). The "pq" library, which we are using as a Postgresql interface, does provide helpers for this purpose.

https://pkg.go.dev/github.com/lib/pq#QuoteIdentifier

Alternatively, buildGetCondition is only used by one caller. It should be possible to remove buildGetCondition and have GetTemplate build a parameterized query with a parameterized list (some SQLs or client libraries don't allow for field names to be parameters, I don't know if that is the case here).

Why is this needed

Fixes: #574

How Has This Been Tested?

How are existing users impacted? What migration steps/scripts do we need?

Checklist:

I have:

  • updated the documentation and/or roadmap (if required)
  • added unit or e2e tests
  • provided instructions on how to upgrade

@displague displague requested a review from mmlb January 12, 2022 13:11
mmlb
mmlb previously approved these changes Jan 25, 2022
View reviewed changes
Copy link
Contributor

@mmlb mmlb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, needs a rebase though. Shall I do it?

@cprivitere
Copy link

@mergify rebase

@mergify
Copy link
Contributor

mergify bot commented Feb 8, 2022

@cprivite is not allowed to run commands

Hey, I reacted but my real name is @Mergifyio

@cprivitere
Copy link

@cprivite is not allowed to run commands

Hey, I reacted but my real name is @Mergifyio

Oh well, I tried.

@mmlb
Copy link
Contributor

mmlb commented Feb 8, 2022

rebased on top of latest main

@mmlb mmlb added the ready-to-merge Signal to Mergify to merge the PR. label Feb 8, 2022
@codecov
Copy link

codecov bot commented Feb 8, 2022

Codecov Report

Merging #577 (23f3466) into main (2be823c) will not change coverage.
The diff coverage is 100.00%.

Impacted file tree graph

@@           Coverage Diff           @@
##             main     #577   +/-   ##
=======================================
  Coverage   38.52%   38.52%           
=======================================
  Files          53       53           
  Lines        3561     3561           
=======================================
  Hits         1372     1372           
  Misses       2092     2092           
  Partials       97       97
Impacted Files Coverage Δ
db/db.go 56.00% <100.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2be823c...23f3466. Read the comment docs.

@mergify mergify bot merged commit c047011 into tinkerbell:main Feb 8, 2022
@displague displague added this to the 0.7.0 milestone Aug 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mmlb mmlb mmlb approved these changes

Assignees
No one assigned
Labels
ready-to-merge Signal to Mergify to merge the PR.
Projects
None yet
Milestone
0.7.0
Development

Successfully merging this pull request may close these issues.

trivial sql injection in GetTemplate
3 participants
@displague @cprivitere @mmlb