this fails: CREATE (:tmp{tmp:'PORT'});

pebbe commented 4 years ago

me=# CREATE (:tmp{tmp:'PORT'});
ERROR:  syntax error at or near "'9333'"
LINE 1: CREATE (:tmp{tmp'9333'});
                        ^

erik-overdahl commented 4 years ago

This works

agens=# CREATE (:tmp{tmp:$$PORT$$});
GRAPH WRITE (INSERT VERTEX 1, INSERT EDGE 0)

agens=# CREATE (:tmp{tmp:toUpper('port')});
GRAPH WRITE (INSERT VERTEX 1, INSERT EDGE 0)

agens=# CREATE (t:tmp) SET t.tmp='PORT';
GRAPH WRITE (INSERT VERTEX 1, INSERT EDGE 0, UPDATE PROPERTY 1)

agens=# MATCH (t:tmp) RETURN t;
            t             
--------------------------
 tmp[10.1]{"tmp": "PORT"}
 tmp[10.2]{"tmp": "PORT"}
 tmp[10.3]{"tmp": "PORT"}
(3 rows)

agens=# MATCH (t:tmp) WHERE t.tmp='PORT' RETURN t;
            t             
--------------------------
 tmp[10.1]{"tmp": "PORT"}
 tmp[10.2]{"tmp": "PORT"}
 tmp[10.3]{"tmp": "PORT"}
(3 rows)

Seems like a potential security vulnerability.

hwha commented 4 years ago

Thank you for report.

I'll check this

hwha commented 4 years ago

This query use psql variable expression.

That's why psqlscanner convert :'PORT' to {portnumber}.

Links: SQL Interpolation, Variables

erik-overdahl commented 4 years ago

This query use psql variable expression.

That's why psqlscanner convert :'PORT' to {portnumber}.

Links: SQL Interpolation, Variables

Those links require login to Bitnine Jira

hwha commented 4 years ago

@erik-overdahl

OMG... Im so sorry. I fixed them. Check it again

bitnine-oss / agensgraph

this fails: CREATE (:tmp{tmp:'PORT'}); #496