Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add parameters in clickhouse and mysql engine to avoid sql injection #2062

Merged
merged 2 commits into from
Mar 13, 2023
Merged

add parameters in clickhouse and mysql engine to avoid sql injection #2062

merged 2 commits into from
Mar 13, 2023

Conversation

LeoQuote
Copy link
Collaborator

用户传的 db_name 可能带来 sql 注入风险, 这个风险其实由来已久.

sql 注入的防止有两个方向:

  1. 对用户输入过滤, 替换字符串
  2. 将用户输入当作参数传入, 由 sdk 来做转义等

本 pr 采用的是第二个方法

但是由于有部分的sql 语句拼接实在太多, 实际上无法避免.

sql 注入还是比较严重的风险, 其他引擎由于我没有测试环境, 所以也不太敢修改, 如有测试环境的, 还请帮忙修改一下.

@codecov
Copy link

codecov bot commented Feb 25, 2023
edited
Loading

Codecov Report

Patch coverage: 66.66% and project coverage change: -0.03 ⚠️

Comparison is base (96094b4) 75.02% compared to head (5a4a7fe) 74.99%.

❗ Current head 5a4a7fe differs from pull request most recent head debbf8b. Consider uploading reports for the commit debbf8b to get more accurate results

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #2062      +/-   ##
==========================================
- Coverage   75.02%   74.99%   -0.03%     
==========================================
  Files         102      102              
  Lines       14811    14834      +23     
==========================================
+ Hits        11112    11125      +13     
- Misses       3699     3709      +10
Impacted Files Coverage Δ
sql/sql_optimize.py 58.60% <0.00%> (-0.64%) ⬇️
sql/tests.py 98.88% <ø> (ø)
sql/instance.py 51.58% <40.00%> (-0.27%) ⬇️
sql/engines/mysql.py 78.17% <58.33%> (ø)
sql/engines/clickhouse.py 71.60% <85.71%> (+0.11%) ⬆️
sql/data_dictionary.py 100.00% <100.00%> (ø)
sql/engines/__init__.py 67.03% <100.00%> (ø)
sql_api/api_workflow.py 69.63% <100.00%> (+0.37%) ⬆️

... and 1 file with indirect coverage changes

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

@hhyo
Copy link
Owner

hhyo commented Feb 25, 2023

路径比较多,可以集中在在私有漏洞报告里面跟进https://github.com/hhyo/Archery/security/advisories

@LeoQuote
Copy link
Collaborator Author

太多了,她给的是很全,但是大部分我可能想不到既能保证功能又保证安全的实现

@hhyo
Copy link
Owner

hhyo commented Feb 25, 2023

太多了,她给的是很全,但是大部分我可能想不到既能保证功能又保证安全的实现

增加了提到的外置参数转义,对于字符类型的可以有效的处理,还有一个点涉及的是sql内容,本身sql内容是需要提交到审核、查询函数的,无法统一处理

@LeoQuote
Copy link
Collaborator Author

@hhyo 关于外置的转义我有一点迟疑,原因是有多引擎的设置,各个engine 的转义会不会不一样? 是否需要把转义挪到 engine内部去。

以及,如果多的话,是否需要一个单独的函数或者装饰器甚至是middleware来复用代码。😂

@hhyo
Copy link
Owner

hhyo commented Feb 26, 2023

escape

确认了下各个engine依赖的包,escape方式不尽相同,我剔除escape的提交,还是尽量走预编译的形式,可由用户输入的外置参数也就是escape的那一些

@LeoQuote
Copy link
Collaborator Author

LeoQuote commented Mar 3, 2023

这个方案都没跑过集成测试,有空我得自己跑一下试试看

@hhyo hhyo merged commit 69c78c0 into hhyo:master Mar 13, 2023
hhyo added a commit that referenced this pull request Mar 13, 2023
@hhyo
Revert "add parameters in clickhouse and mysql engine to avoid sql in…
fe13ec2 
…jection (#2062)"

This reverts commit 69c78c0.
@hhyo hhyo mentioned this pull request Mar 13, 2023
Merged
hhyo added a commit that referenced this pull request Mar 13, 2023
@hhyo
Revert "add parameters in clickhouse and mysql engine to avoid sql in…
38d7a19 
…jection" (#2077)

Revert "add parameters in clickhouse and mysql engine to avoid sql injection (#2062)"

This reverts commit 69c78c0.
@LeoQuote
Copy link
Collaborator Author

哎呀, 还没测试呀- - 应该维持 draft 状态的

@hhyo hhyo mentioned this pull request Mar 31, 2023
Merged
@LeoQuote LeoQuote deleted the fix_sql_injection branch August 7, 2023 04:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hhyo hhyo hhyo approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@LeoQuote @hhyo