ontodev/gizmos

bobby tables

cmungall opened this issue · 2 comments

Using gizmo search to search for 3-prime exons in SO:

$ python -m gizmos.search db/so.db "3' exon"
Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/runpy.py", line 193, in _run_module_as_main
    "__main__", mod_spec)
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "/Users/cjm/repos/gizmos/gizmos/search.py", line 197, in <module>
    main()
  File "/Users/cjm/repos/gizmos/gizmos/search.py", line 33, in main
    limit=args.limit,
  File "/Users/cjm/repos/gizmos/gizmos/search.py", line 41, in search
    conn, text, limit, label=label, short_label=short_label, synonyms=synonyms
  File "/Users/cjm/repos/gizmos/gizmos/search.py", line 62, in get_search_results
    AND value LIKE '%{text}%';"""
sqlite3.OperationalError: near "exon": syntax error

the problem is here:

AND value LIKE '%{text}%';"""

I tried the bobby tables exploit:
https://xkcd.com/327/

$ python -m gizmos.search db/go.db "Robert'; DROP TABLE students; --"
Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/runpy.py", line 193, in _run_module_as_main
    "__main__", mod_spec)
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "/Users/cjm/repos/gizmos/gizmos/search.py", line 197, in <module>
    main()
  File "/Users/cjm/repos/gizmos/gizmos/search.py", line 33, in main
    limit=args.limit,
  File "/Users/cjm/repos/gizmos/gizmos/search.py", line 41, in search
    conn, text, limit, label=label, short_label=short_label, synonyms=synonyms
  File "/Users/cjm/repos/gizmos/gizmos/search.py", line 62, in get_search_results
    AND value LIKE '%{text}%';"""
sqlite3.Warning: You can only execute one statement at a time.

so you are safe :-)

but it should still escape quotes

you can do this in sqla without committing to the ORM, see:

https://stackoverflow.com/questions/19314342/python-sqlalchemy-pass-parameters-in-connection-execute

Yes, we know we've been lazy about this, and it needs to be fixed.

This should be addressed by our recent move to SQLAlchemy.