Open Azhng opened 2 years ago
@Azhng you're missing a hyperlink I think? Can you add it?
cc @catj-cockroach - can you put this on the seceng radar?
NB: @petermattis has implemented a framework for CC managed-service that helps fix this. Peter, can you point the participants here to the code you've authored? thx
Ideally we could have a linter for this but that's pretty hard to do.
Another idea is to update our randomized testing framework to try doing SQL injection attacks on show commands and see if parse
ever fails with the error that we're trying to parse multiple statements and our injection attack can contain crdb_internal.panic()
Currently, we have various places [1] where we use
fmt.Sprintf()
with%s
to format SQL statements. This is prone to SQL injections bugs. Instead we should be usinglexbase.EncodeSQLString
to properly escape the statements.edit (knz): note that
tree.Name
has aString()
method that already does the right thing, so it's OK to do%s
with atree.Name
. Withstring
, not so much.[1]: for instance (not comprehensive):
Jira issue: CRDB-9593