Remove usage of potentially unsafe SQL constructs #83
Labels
No Label
priority
high
priority
low
priority
medium
priority
very high
BUG
Feature
High Priority
Low Priority
Medium Priority
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: public/pyceo#83
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Looks like https://git.csclub.uwaterloo.ca/public/pyceo/src/branch/master/ceod/db/MySQLService.py#L47 and the PostgreSQL equivalent are using f strings to format the queries they execute.
As far as I'm aware, this doesn't protect against SQL injection, and although I know everyone in the CSC are good, machine usage policy following people, it should probably be changed to use the safer constructs outlined here: https://www.psycopg.org/docs/usage.html#passing-parameters-to-sql-queries and the MySQL equivalents.
Should just be contained in
ceod/db
.Actually this isn't really user facing, and probably isn't called with user-facing code so it's probably not an issue, but it's a pretty straightforward fix AFAIK.