Security mechanism can be defeated by using function name as column name
Closed this issue · 1 comments
ianmcook commented
The mechanism that stops queryparser from translating an expression if it includes functions that are not on the whitelist can be defeated by including a column name in the expression that has the same name as the disallowed function. For example:
parse_expression("system + system('ls')")
#system + system("ls")
This is caused by the way the all_funs
function is implemented.