search

MPLens / clickhouse-query

ClickHouse Query is intuitive query builder to overcome the complexity of ClickHouse SQL syntax.
MIT License
7 stars 2 forks source link

Critical bug: SQL injection #5

Open kyegupov opened 5 months ago

kyegupov commented 5 months ago

Critical security issue: it's extremely easy to forge a malicious request by using single quotes in a parameter value.

> builder.query().select('password').from('users').where('user_id', '=', "jonh.smith@example.com' OR is_admin='true").generateWhere();

"WHERE user_id = 'jonh.smith@example.com' OR is_admin='true'"

This is exactly why you never should pass values in the query text. They should be encoded as parameters

Clickhouse documentation, unfortunately, is bad at giving good examples of using query parameters.

See https://clickhouse.com/docs/en/sql-reference/syntax#defining-and-using-query-parameters and https://github.com/ClickHouse/clickhouse-js/blob/main/examples/query_with_parameter_binding.ts

bologer commented 4 months ago

@kyegupov thanks for the report. We will fix this ASAP.