Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL injection vulnerability #92

Open
mccalluc opened this issue Dec 21, 2018 · 3 comments
Open

SQL injection vulnerability #92

mccalluc opened this issue Dec 21, 2018 · 3 comments

Comments

@mccalluc
Copy link
Collaborator

    query = """
        SELECT importance, chrOffset, fields FROM intervals
        WHERE fields LIKE '%{}%'
        ORDER BY importance DESC
        LIMIT 10
        """.format(text)

    rows = c.execute(query).fetchall()

Maybe something upstream is santitizing text, but still, this is not good. Use the ? instead.

@mccalluc
Copy link
Collaborator Author

@pkerpedjiev. Here's a fix, I think. (I checked out the project, and realize now I don't have write privs, and would make a fork, but I should head out.) (also make the list building more idiomatic.)

    query = """
        SELECT importance, chrOffset, fields FROM intervals
        WHERE fields LIKE '%?%'
        ORDER BY importance DESC
        LIMIT 10
        """

    rows = c.execute(query, text).fetchall()

    to_return = []
    for (importance, chrOffset, fields) in rows:
        field_parts = fields.split('\t')
        to_return.append({
                      'chr': field_parts[0],
                      'txStart': int(field_parts[1]),
                      'txEnd': int(field_parts[2]),
                      'score': importance,
                      'geneName': field_parts[3]})
    return to_return

@pkerpedjiev
Copy link
Member

You should have write privileges now. And no, text is not being sanitized. It comes directly from the search box. I presume c.execute() does some sanitization when the parameter is passed in through there?

@mccalluc
Copy link
Collaborator Author

Yeah: using execute to pass in parameters is the way to avoid injection attacks.

On a second look: I don't think syntactically LIKE '%?%' is going to work... Let me get it running locally, and try LIKE '%' || ? || '%'...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants