Open zklim opened 4 months ago
Hey @zklim Some pointers on the
fix/sql-queries-backmerge
The below files still have the SQL vulnerability
src-tauri/src/services/local_storage/tokens.rs
src-tauri/src/services/local_storage/encrypted_data.rs
src-tauri/src/services/local_storage/storage_api/events.rs
src-tauri/src/services/local_storage/storage_api/records.rs
src-tauri/src/services/local_storage/storage_api/transaction.rs
- Basically. any file that uses String formatting with
format!(<SQL_QUERY>{}, <VARIABLE>)
, Should be changed to passing through arguments as Zack did- Do a search for
format!
, and change it to the fix done by Zack usingexecute_query_params()
fn for the above mentioned files- All SQL commands SHOULD NOT HAVE
format!(<..>)
in them, it should be likelet query = "<SQL QUERY WITH ?1, ?2>";
and call theexecute_query_params(query , <PARAMS>);
fn.
Not sure if I have to modify code for case like:
let query = format!(
"SELECT balance_ciphertext, nonce FROM ARC20_tokens WHERE token_name='{}' ",
token_name
);
let res = storage.get_all::<String>(&query, 2)?;
as storage.get_all()
don't take parameter as execute_query_params(query , <PARAMS>);
does
Back merge latest develop branch at Jun 21st and did app testing.