search

WiseLibs / better-sqlite3

The fastest and simplest library for SQLite3 in Node.js.
MIT License
5.26k stars 391 forks source link

Enable load_extension() function? #1065

Open davidkaufman opened 10 months ago

davidkaufman commented 10 months ago

Hi!

I am loading sqlite extensions at connection time using the db.loadExtension() API but would rather use the SQL load_extension() function to load them at runtime.

As the SQLite docs above say say, allowing users to call this function in SQL is disabled by default, as it opens up a potential SQL injection vulnerability. Is there a way to call this sqlite C-API function below to re-enable it for use through better-sqlite3?

https://www.sqlite.org/c3ref/enable_load_extension.html

int sqlite3_enable_load_extension(sqlite3 *db, int onoff); So as not to open security holes in older applications that are unprepared to deal with extension loading, and as a means of disabling extension loading while evaluating user-entered SQL, the following API is provided to turn the sqlite3_load_extension() mechanism on and off.

Extension loading is off by default. Call the sqlite3_enable_load_extension() routine with onoff==1 to turn extension loading on

Thanks in advance!

Prinzhorn commented 10 months ago

I am loading sqlite extensions at connection time using the db.loadExtension() API but would rather use the SQL load_extension() function to load them at runtime.

db.loadExtension() literally calls load_extension()

https://github.com/WiseLibs/better-sqlite3/blob/ae23e690b02c00d075d543c66ae7e26c98c46f74/src/objects/database.lzz#L370-L390

SQLITE_DBCONFIG_ENABLE_LOAD_EXTENSION is also set (else db.loadExtension() wouldn't work)

https://github.com/WiseLibs/better-sqlite3/blob/ae23e690b02c00d075d543c66ae7e26c98c46f74/src/objects/database.lzz#L180

I'm confused what you actually want, maybe you can give a code example of the new API that you are suggesting? What exactly are you missing that you cannot do right now?

davidkaufman commented 10 months ago

Hi @Prinzhorn thanks for the reply!

What I meant was I'd like to allow our users to load any extension (at any time) by calling the SQL function from within a sql query, e.g.:

SELECT load_extension('./re.so');

currently, issuing a sql query that calls this function results in the error:

- SqliteError: not authorized

To allow the use the load_extension() inside a SQL command the docs linked above say you have to:

Call the sqlite3_enable_load_extension() routine with onoff==1

so apparently better-sqlite3 isn't passing that onoff parameter, which defaults to 0

Prinzhorn commented 10 months ago

Oh, thanks for clarifying, I didn't pay enough attention. Makes sense that you could optionally enable that for a Database instance.