Closed moylop260 closed 3 years ago
The following examples should not be considered as sql-injection:
self.env.cr.execute("SELECT * FROM %s" % 'table_constant') self.env.cr.execute("SELECT * FROM {}".format('table_constant')) self.env.cr.execute("SELECT * FROM %(table_variable)s" % {'table_variable': 'table_constant'})
Since that the constant is not possible to inject
Using the following code:
queries = [ "SELECT id FROM res_partner", "SELECT id FROM res_users", ] for query in queries: self.env.cr.execute(query)
The check sql-injection shows the following error:
So, Now it is validating if it is not None
Considering the following valid case:
cr.execute('SELECT ' + operator + ' FROM table' + 'WHERE')
The representation tree is:
node.repr_tree() BinOp( op='+', left=BinOp( op='+', left=BinOp( op='+', left=Const(value='SELECT '), right=Name(name='operator')), right=Const(value=' FROM table')), right=Const(value='WHERE'))
Notice that left node is another BinOp node So, it need to be considered recursively
The following examples should not be considered as sql-injection:
Since that the constant is not possible to inject
Using the following code:
The check sql-injection shows the following error:
So, Now it is validating if it is not None
Considering the following valid case:
The representation tree is:
Notice that left node is another BinOp node So, it need to be considered recursively