Add checks for SQL Alchemy

Question

Add checks for SQL Alchemy

tonybaloney opened this issue 5 years ago · 5 comments

Feature Request

From what I could find from some quick googling (but need to actually test this)

filter   - uses _literal_as_text (NOT SAFE)
having   - uses _literal_as_text (NOT SAFE)

distinct - uses _literal_as_label_reference (NOT SAFE)
group_by - uses _literal_as_label_reference (NOT SAFE)
order_by - uses _literal_as_label_reference (NOT SAFE)

tonybaloney commented 4 years ago

Answer 1 · 2020-05-10T02:46:31.000Z

Also found

sqlalchemy.sql.text
<connection>.execute()

Both execute raw SQL directly. Would be caught by the existing SQL injection checks

Answer 2 · 2020-05-10T07:48:20.000Z

Tried this and SQL100 catches both anyway

with engine.connect() as conn:
    conn.execute(addresses.insert(), [
        {'user_id': 1, 'email_address' : 'jack@yahoo.com'},
        {'user_id': 1, 'email_address' : 'jack@msn.com'},
        {'user_id': 2, 'email_address' : 'www@www.org'},
        {'user_id': 2, 'email_address' : 'wendy@aol.com'},
    ])
    data = ( {'user_id': 1, 'email_address' : 'jack@yahoo.com\''},)
    statement = text("""INSERT INTO addresses(user_id, email_address) VALUES({}, :email_address)""".format(x))
    for line in data:
        conn.execute(statement, **line)
    conn.execute("SELECT email_address FROM addresses WHERE email_address = \'{}\'".format(foo))

Answer 3 · 2020-05-11T02:13:18.000Z

I think it would be possible to use text() as a text-fragment with the filter() function?

session.Query(FooBar).filter(text(sql_injection))

Answer 4 · 2020-05-11T06:45:43.000Z

Suggested example: https://docs.sqlalchemy.org/en/13/core/selectable.html#sqlalchemy.sql.expression.HasSuffixes.suffix_with.params.*expr