-
Notifications
You must be signed in to change notification settings - Fork 363
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change sql blacklist functionality from regex to sqlparse #498
Change sql blacklist functionality from regex to sqlparse #498
Conversation
self.assertFalse(passes) | ||
|
||
def test_dml_set(self): | ||
sql = "SET TIME ZONE 'PST8PDT';" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@marksweb why forbid this? What's a better way to display results in a local timezone?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Forbid this? Sorry I don't follow - I haven't forbidden this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This PR added SET
to app_settings.EXPLORER_SQL_BLACKLIST
, and the assert below seems to be checking that SET TIME ZONE 'PST8PDT'
fails the blacklist. I noticed this because several queries I rely on started failing after an upgrade.
From a quick reading of https://www.postgresql.org/docs/current/sql-set.html, I don't notice ways in which it'd modify data in the database, but I'm not a SQL expert, and I haven't checked MySQL, etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@covracer This PR just changed the order of the blacklisted items. SET
was actually added about a year ago here.
SET
can be used to update values. See here.
The blacklist check didn't work for some time. It may have been this PR which actually got it working correctly hence you noticing it.
You can always define your own EXPLORER_SQL_BLACKLIST
in your project settings if you want to allow people to use different commands.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://www.w3schools.com/SQL/sql_ref_set.asp discusses SET
in the context of UPDATE ... SET ... WHERE ...
. It seems to me like the entry for UPDATE
would cover that.
SET PASSWORD
for MySQL as described in #475 sounds like a great thing to block. Would it be possible to disallow SET PASSWORD ...
(for MySQL) while allowing SET TIME ...
(for PostgreSQL)?
Edit: I'm open to overriding EXPLORER_SQL_BLACKLIST
, but I wanted to make sure I wasn't overlooking ways in which SET
could be used to make modifications to a PostgreSQL database before doing so. Thanks for the help in figuring the details out.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@covracer The project is setup to try to be as secure as possible. Where you need a different approach, like SET TIME
, you can define your own EXPLORER_SQL_BLACKLIST
list which doesn't include SET
.
Issue #454