bobby tables
cmungall opened this issue · 2 comments
cmungall commented
Using gizmo search to search for 3-prime exons in SO:
$ python -m gizmos.search db/so.db "3' exon"
Traceback (most recent call last):
File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/runpy.py", line 193, in _run_module_as_main
"__main__", mod_spec)
File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/runpy.py", line 85, in _run_code
exec(code, run_globals)
File "/Users/cjm/repos/gizmos/gizmos/search.py", line 197, in <module>
main()
File "/Users/cjm/repos/gizmos/gizmos/search.py", line 33, in main
limit=args.limit,
File "/Users/cjm/repos/gizmos/gizmos/search.py", line 41, in search
conn, text, limit, label=label, short_label=short_label, synonyms=synonyms
File "/Users/cjm/repos/gizmos/gizmos/search.py", line 62, in get_search_results
AND value LIKE '%{text}%';"""
sqlite3.OperationalError: near "exon": syntax error
the problem is here:
Line 62 in 6f0de7b
I tried the bobby tables exploit:
https://xkcd.com/327/
$ python -m gizmos.search db/go.db "Robert'; DROP TABLE students; --"
Traceback (most recent call last):
File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/runpy.py", line 193, in _run_module_as_main
"__main__", mod_spec)
File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/runpy.py", line 85, in _run_code
exec(code, run_globals)
File "/Users/cjm/repos/gizmos/gizmos/search.py", line 197, in <module>
main()
File "/Users/cjm/repos/gizmos/gizmos/search.py", line 33, in main
limit=args.limit,
File "/Users/cjm/repos/gizmos/gizmos/search.py", line 41, in search
conn, text, limit, label=label, short_label=short_label, synonyms=synonyms
File "/Users/cjm/repos/gizmos/gizmos/search.py", line 62, in get_search_results
AND value LIKE '%{text}%';"""
sqlite3.Warning: You can only execute one statement at a time.
so you are safe :-)
but it should still escape quotes
you can do this in sqla without committing to the ORM, see:
https://stackoverflow.com/questions/19314342/python-sqlalchemy-pass-parameters-in-connection-execute
jamesaoverton commented
Yes, we know we've been lazy about this, and it needs to be fixed.
jamesaoverton commented
This should be addressed by our recent move to SQLAlchemy.