search

lquerel / gcp-bigquery-client

GCP BigQuery Client (Rust)
Apache License 2.0
92 stars 60 forks source link

README example is vulnerable to SQL injection #29

Open Shnatsel opened 1 year ago

Shnatsel commented 1 year ago

The example in the README uses the following code to build a query:

    // Query
    let mut rs = client
        .job()
        .query(
            project_id,
            QueryRequest::new(format!(
                "SELECT COUNT(*) AS c FROM `{}.{}.{}`",
                project_id, dataset_id, table_id
            )),
        )
        .await?;

This appears to be vulnerable to SQL injection: if any of the project_id, dataset_id, table_id fields come from an untrusted source, they may contain additional SQL statements, e.g. DROP TABLE, which will be injected into the query and passed on to the BigQuery API.

If this is indeed the case, an example should be provided that avoids the issue. If BigQuery does not provide an API that's immune to SQL injection, the inputs should be sanitized of SQL statements recognized by BigQuery.

Shnatsel commented 1 year ago

BigQuery does provide parametrized queries that are immune to SQL injection by design: https://cloud.google.com/bigquery/docs/parameterized-queries