Closed bmoregeo closed 5 months ago
Hello @bmoregeo. Thanks for pointing this out. Yes correct, the GeoServices output plugin doesn't do any sanitizing for any parameters. Koop's generally been used for read-only connections, but of course, depending on the credentials/permissions you use to connect to your remote datastore, damage from SQL injection could be a risk.
At this point, we've left it up to Provider developers to deal with it, since it may or may not be an issue for everyone. Many providers won't pass on the where
verbatim (or at all) to their remote API, so in those cases sanitization isn't necessary.
What you do sort of depends on your use case. I would ensure I'm connecting to the remote API/DB with a user that has the narrowest permissions possible (restricted from dropping tables, etc). Beyond that, I think in depends on what your remote datastore is. For example, if it is Postgres, you want to use something like node-postgres and its features that help prevent SQL injection (parameterized queries, etc).
Closing.
Hello, the feature service endpoint provides a raw sql where clause for filtering data. During testing, we determined that it is not being sanitized en route down to the data providers. Is there a recommended approach to preventing sql injection attacks through the where clause? How are other people handling this? Thanks!