From 7214963fef91098b28d9a0306fb3440015a0f32f Mon Sep 17 00:00:00 2001
From: "J.C. Zhong" <jianchengzhong@pinterest.com>
Date: Thu, 7 Dec 2023 16:55:25 -0800
Subject: [PATCH] fix: possible unauthenticated SQL injection when login
 (#1383)

* fix: possible unauthenticated SQL injection when login

* add to api layer

* update ldap_auth
---
 querybook/server/app/auth/ldap_auth.py     | 3 +++
 querybook/server/app/auth/oauth_auth.py    | 4 ++--
 querybook/server/app/auth/okta_auth.py     | 4 ++--
 querybook/server/app/auth/password_auth.py | 4 ++--
 4 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/querybook/server/app/auth/ldap_auth.py b/querybook/server/app/auth/ldap_auth.py
index 8827c05f1..b646a04ba 100644
--- a/querybook/server/app/auth/ldap_auth.py
+++ b/querybook/server/app/auth/ldap_auth.py
@@ -121,6 +121,9 @@ def ldap_authenticate(ldap_conn: SimpleLDAPObject, user_dn: str, password: str):
 
 @with_session
 def login_user(username: str, email: str, full_name: str, session=None):
+    if not username or not isinstance(username, str):
+        raise AuthenticationError("Please provide a valid username")
+
     # Case-insensitive search of the user for backward compatibility.
     # Because it was possible to create e.g. uppercase usernames before.
     user = get_user_by_name(username, case_sensitive=False, session=session)
diff --git a/querybook/server/app/auth/oauth_auth.py b/querybook/server/app/auth/oauth_auth.py
index 70f66f5e9..a9bc68aa7 100644
--- a/querybook/server/app/auth/oauth_auth.py
+++ b/querybook/server/app/auth/oauth_auth.py
@@ -127,8 +127,8 @@ def _parse_user_profile(self, profile_response):
 
     @with_session
     def login_user(self, username, email, session=None):
-        if not username:
-            raise AuthenticationError("Username must not be empty!")
+        if not username or not isinstance(username, str):
+            raise AuthenticationError("Please provide a valid username")
 
         user = get_user_by_name(username, session=session)
         if not user:
diff --git a/querybook/server/app/auth/okta_auth.py b/querybook/server/app/auth/okta_auth.py
index a38dac6f8..3f9836fc7 100644
--- a/querybook/server/app/auth/okta_auth.py
+++ b/querybook/server/app/auth/okta_auth.py
@@ -115,8 +115,8 @@ def _parse_user_profile(self, resp):
 
     @with_session
     def login_user(self, username, email, fullname, session=None):
-        if not username:
-            raise AuthenticationError("Username must not be empty!")
+        if not username or not isinstance(username, str):
+            raise AuthenticationError("Please provide a valid username")
 
         user = get_user_by_name(username, session=session)
         if not user:
diff --git a/querybook/server/app/auth/password_auth.py b/querybook/server/app/auth/password_auth.py
index f2dc7c1ff..79aa4dbd0 100644
--- a/querybook/server/app/auth/password_auth.py
+++ b/querybook/server/app/auth/password_auth.py
@@ -26,8 +26,8 @@ def authenticate(username, password, session=None):
     :raise AuthenticationError: if an error occurred
     :return: a PasswordUser
     """
-    if not username:
-        raise AuthenticationError("Please provide a username")
+    if not username or not isinstance(username, str):
+        raise AuthenticationError("Please provide a valid username")
 
     if not password:
         raise AuthenticationError("Please provide a password")