ulule/loukoum

The format package doesn't escape strings

icholy opened this issue · 3 comments

icholy commented

The String() method on builders is completely vulnerable to sql injection.

package main

import (
	"fmt"
	lk "github.com/ulule/loukoum"
)

func main() {
	fmt.Println(
		lk.Select("*").From("users").Where(
			lk.Condition("name").Equal("' OR 1 == 1 --"),
		).String(),
	)
}

output:

SELECT * FROM users WHERE (name = '' OR 1 == 1 --')
novln commented

Hello,

If you want safety, you should use lk.Select("*").From("users").Where(...).Prepare()

String() is mainly used for debugging and have a huge footprint: (see bellow)

loukoum/builder/builder.go

Line 26 in d6ee7ea

func rawify(query string, args map[string]interface{}) string {

Hope that helps.

icholy commented

@novln I realise after reading through the code, but that wasn't mentioned anywhere in the docs. Something like that should be front and center, bolded, in a red font.

novln commented

Noted 😄

I'll do a swipe on the documentation to ensure that this kind of information are shared.
If you find anything that need clarification, don't hesitate.