-
-
Notifications
You must be signed in to change notification settings - Fork 620
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Detecting misuse of the psycopg2.sql
module
#412
Comments
Hi @Changaco! I was considering picking up this issue as a way to contribute but it looks like these cases would be covered by
Is there another variation of this issue involving |
@wtkm11 bandit still doesn't detect calling the SQL constructor with a non-literal. For example in a function that receives a table name as an argument, using from psycopg2 import sql
def count_rows(db, table):
print(db.one(sql.SQL('select count(*) from {}').format(sql.Identifier(table)))) # safe
print(db.one(sql.SQL('select count(*) from {}').format(sql.SQL(table)))) # unsafe |
Add a plugin test to detect when something other than a string literal is passed to the constructor of the `psycopg2.sql.SQL` composable object. Resolves: PyCQA#412
Add a plugin test to detect when something other than a string literal is passed to the constructor of the `psycopg2.sql.SQL` composable object. Resolves: PyCQA#412
I wrote a plugin test (#608) to detect situations like this:
The non-literal being passed in |
I don't see why it should be low confidence, and I think it would make the test useless because in my experience low confidence alerts are numerous and have to be silenced by default. |
The psycopg2.sql module is meant to provide a safe way to compose SQL queries dynamically, however it is possible to misuse it in a way that would result in an SQL injection vulnerability, and bandit currently doesn't support detecting this.
Solution: create a new test to detect when a psycopg2.sql.SQL object is being created from a non-literal, e.g.
SQL(foo)
orSQL('%s AND %s' % (foo, bar))
. The severity and confidence levels of this new test would both be at least "medium".The text was updated successfully, but these errors were encountered: