Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: possible unauthenticated SQL injection when login #1382

Closed
wants to merge 3 commits into from
Closed

fix: possible unauthenticated SQL injection when login #1382

wants to merge 3 commits into from

Conversation

jczhong84
Copy link
Collaborator

when sending an object insdie the username like:

POST /ds/login/ HTTP/1.1
Host: localhost:10001

{"username":{"test":1},"password":"test"}

will get

"(pymysql.err.ProgrammingError) (1064, \"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''test': '1'} \\n LIMIT 1' at line 3\")\n[SQL: SELECT user.password AS user_password, user.id AS user_id, user.username AS user_username, user.fullname AS user_fullname, user.email AS user_email, user.profile_img AS user_profile_img, user.deleted AS user_deleted, user.is_group AS user_is_group, user.properties AS user_properties \nFROM user \nWHERE user.username = %(username_1)s \n LIMIT %(param_1)s]\n[parameters: {'username_1': {'test': 1}, 'param_1': 1}]\n(Background on this error at: https://sqlalche.me/e/14/f405)",
  "host": "2297766a08be",
  "traceback": "Traceback (most recent call last):\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/engine/base.py\", line 1819, in _execute_context\n    self.dialect.do_execute(\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/engine/default.py\", line 732, in do_execute\n    cursor.execute(statement, parameters)\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/cursors.py\", line 148, in execute\n    result = self._query(query)\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/cursors.py\", line 310, in _query\n    conn.query(q)\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/connections.py\", line 548, in query\n    self._affected_rows = self._read_query_result(unbuffered=unbuffered)\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/connections.py\", line 775, in _read_query_result\n    result.read()\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/connections.py\", line 1156, in read\n    first_packet = self.connection._read_packet()\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/connections.py\", line 725, in _read_packet\n    packet.raise_for_error()\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/protocol.py\", line 221, in raise_for_error\n    err.raise_mysql_exception(self._data)\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/err.py\", line 143, in raise_mysql_exception\n    raise errorclass(errno, errval)\npymysql.err.ProgrammingError: (1064, \"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''test': '1'} \\n LIMIT 1' at line 3\")\n\nThe above exception was the direct cause of the following exception:\n\nTraceback (most recent call last):\n  File \"/opt/querybook/querybook/server/app/datasource.py\", line 84, in handler\n    results = fn(**kwargs)\n  File \"/opt/querybook/querybook/server/app/auth/password_auth.py\", line 50, in login_user_endpoint\n    user = authenticate(username, password, session=session)\n  File \"/opt/querybook/querybook/server/app/db.py\", line 136, in func\n    return fn(*args, **kwargs)\n  File \"/opt/querybook/querybook/server/app/auth/password_auth.py\", line 35, in authenticate\n    user = get_user_by_name(username, session=session)\n  File \"/opt/querybook/querybook/server/app/db.py\", line 136, in func\n    return fn(*args, **kwargs)\n  File \"/opt/querybook/querybook/server/logic/user.py\", line 35, in get_user_by_name\n    return User.get(username=username, session=session)\n  File \"/opt/querybook/querybook/server/app/db.py\", line 136, in func\n    return fn(*args, **kwargs)\n  File \"/opt/querybook/querybook/server/lib/sqlalchemy/__init__.py\", line 77, in get\n    return query.first()\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/orm/query.py\", line 2819, in first\n    return self.limit(1)._iter().first()\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/orm/query.py\", line 2903, in _iter\n    result = self.session.execute(\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/orm/session.py\", line 1712, in execute\n    result = conn._execute_20(statement, params or {}, execution_options)\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/engine/base.py\", line 1631, in _execute_20\n    return meth(self, args_10style, kwargs_10style, execution_options)\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/sql/elements.py\", line 332, in _execute_on_connection\n    return connection._execute_clauseelement(\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/engine/base.py\", line 1498, in _execute_clauseelement\n    ret = self._execute_context(\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/engine/base.py\", line 1862, in _execute_context\n    self._handle_dbapi_exception(\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/engine/base.py\", line 2043, in _handle_dbapi_exception\n    util.raise_(\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/util/compat.py\", line 208, in raise_\n    raise exception\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/engine/base.py\", line 1819, in _execute_context\n    self.dialect.do_execute(\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/engine/default.py\", line 732, in do_execute\n    cursor.execute(statement, parameters)\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/cursors.py\", line 148, in execute\n    result = self._query(query)\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/cursors.py\", line 310, in _query\n    conn.query(q)\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/connections.py\", line 548, in query\n    self._affected_rows = self._read_query_result(unbuffered=unbuffered)\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/connections.py\", line 775, in _read_query_result\n    result.read()\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/connections.py\", line 1156, in read\n    first_packet = self.connection._read_packet()\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/connections.py\", line 725, in _read_packet\n    packet.raise_for_error()\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/protocol.py\", line 221, in raise_for_error\n    err.raise_mysql_exception(self._data)\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/err.py\", line 143, in raise_mysql_exception\n    raise errorclass(errno, errval)\nsqlalchemy.exc.ProgrammingError: (pymysql.err.ProgrammingError) (1064, \"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''test': '1'} \\n LIMIT 1' at line 3\")\n[SQL: SELECT user.password AS user_password, user.id AS user_id, user.username AS user_username, user.fullname AS user_fullname, user.email AS user_email, user.profile_img AS user_profile_img, user.deleted AS user_deleted, user.is_group AS user_is_group, user.properties AS user_properties \nFROM user \nWHERE user.username = %(username_1)s \n LIMIT %(param_1)s]\n[parameters: {'username_1': {'test': 1}, 'param_1': 1}]\n(Background on this error at: https://sqlalche.me/e/14/f405)\n

@jczhong84 jczhong84 closed this Dec 7, 2023
@jczhong84 jczhong84 deleted the fix/login branch December 8, 2023 00:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jczhong84