Opened 46 minutes ago
Last modified 25 minutes ago
#36778 assigned Cleanup/optimization
Extend admonition to avoid constructing query expressions from unsanitized user input
| Reported by: | Jacob Walls | Owned by: | Jacob Walls |
|---|---|---|---|
| Component: | Documentation | Version: | dev |
| Severity: | Normal | Keywords: | Func, sql, injection, extra, rawsql |
| Cc: | Simon Charette, Michael Manfre | Triage Stage: | Accepted |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
The Security Team occasionally receives reports where a proof of concept pipes unsanitized user input directly to a query expression argument traditionally regarded as statically configured and thus developer-controlled.
We haven't accepted these as vulnerabilities, because each case we've confronted has a clear domain to validate (e.g. positive integers) that a garden-variety form or serializer would handle, as opposed to anything that would require the db adapter to escape.
We have this clearly documented in the Func API where positional arguments can be user-driven but keyword arguments get interpolated directly into SQL (beware!), but this is potentially muddled by the inconsistency where some subclasses allow positional arguments for convenience but then pass that on to Func() via keyword (beware!)
Working on a way to clarify this in the Func docs and cross-link from the security reporting guidelines.
Change History (3)
comment:1 by , 31 minutes ago
| Keywords: | extra rawsql added |
|---|---|
| Triage Stage: | Unreviewed → Accepted |
| Version: | → dev |
Thank you!