Closed antonag32 closed 2 years ago
@moylop260
@moylop260 The idea to allow fstrings that only use constants came from your commit 5d9878a35512 which allowed calls like:
self.env.cr.execute("SELECT * FROM %s" % 'table_constant')
And its equivalent would be
self.env.cr.execute(f'SELECT * FROM {"table_constant"}')
Which I don't know why anyone would use, so it is worth checking for?
Hey @antonag32, thank you for your Pull Request.
It looks like some users haven't signed our Contributor License Agreement, yet. You can read and sign our full Contributor License Agreement here: https://odoo-community.org/page/cla Here is a list of the users:
Appreciation of efforts, OCA CLAbot
Implemented a recursive strategy to check for constants inside fstrings and mark them as safe if all formatted values are made up of constants only. Probably no one will use it in real life but its the technically correct thing to do.
Added a unit test to verify SQLI detection is working as corrected.
As of today, 4 tests are failing on the master branch when I run the whole suit:
They still fail after my changes, but no other tests failed, so I assume my work didn't break previous work.
I think you will need to bump the sql-injection in the EXPECTED_ERRORS
dict:
And fix the lints, please
$ flake8 --ignore=E722,F601,F841,W503,W504,W605 --max-line-length=88 --exclude=__init__.py .
./pylint_odoo/test_repo/broken_module/models/broken_model.py:501:68: E999 SyntaxError: invalid syntax
./pylint_odoo/test_repo/broken_module/models/broken_model.py:539:89: E501 line too long (105 > 88 characters)
./pylint_odoo/test/main.py:436:89: E501 line too long (107 > 88 characters)
https://app.travis-ci.com/github/OCA/pylint-odoo/jobs/565831678#L287-L290
@moylop260. Done, I bumped the sql-injection in EXPECTED_ERRORS
and fixed the linting warnings, although locally I was not able to get the E999 SyntaxError warning.
@moylop260 Since fstrings are not supported until Python 3.6 I made a separate test and embedded data int it instead of modifying test repos. All fstring testing is now done inside a single test which will be skipped if the version is not at least 3.6.
@moylop260
Apparently I nested existing code inside my checks, which meant certain injections were not being detected. It is fixed now. test_20_expected_errors
still blows up but sql-injections are no longer one of the reasons.
@moylop260 All requested changes were attended.
Supposed to fix #363. This is a work in progress as there are still some things to complete, like:
execute
callsAnd perhaps some other things which will come up during development.