microsoft / aerial_wildlife_detection

Tools for detecting wildlife in aerial images using active learning
MIT License
226 stars 58 forks source link

SQL injection #33

Open frafra opened 3 years ago

frafra commented 3 years ago

https://github.com/microsoft/aerial_wildlife_detection/blob/de150d03e267676876554f62188689cf4196f4bb/projectCreation/import_images.py#L80-L82

https://github.com/microsoft/aerial_wildlife_detection/blob/de150d03e267676876554f62188689cf4196f4bb/projectCreation/import_images.py#L90-L94

https://github.com/microsoft/aerial_wildlife_detection/blob/de150d03e267676876554f62188689cf4196f4bb/application.py#L69-L73

There are various examples of this in the source code.

bkellenb commented 3 years ago

Hello,

Thank you very much for raising these issues. As a matter of fact most of them are in legacy import and export scripts that are more or less replaced with browser functionality. I nonetheless replaced them in the latest commit on the current development branch ("aide_detectron2"), which is going to become the new master branch accordingly. All other locations should be SQL injection-proof as well.

The only exception is the setup/migrate_aide.py script, which would require too many formatting commands for each project. However, this script is only executed at the launch of AIDE and cannot be accessed from the Web server in any normal way.

FYI: the first two examples pose a risk to SQL injection; the third is the officially recommended way of using the psycopg2 library and involves automatic SQL injection prevention in the library itself (see documentation).