Closed apoorvdeshmukh closed 1 year ago
shueybubbles
commented
1 year ago please add tests. There's a pretty big matrix of input to cover here and the tests need to show what's valid and what's not. We need to handle edge cases that could lead to sql injection if we don't escape the name, etc. Can I pass a local file path like --using "c:\path with a space and a comm,a\path","db space and co,mma" ?
shueybubbles
commented
1 year ago do we want to allow the user to provide the db name as a bracketed identifier? eg
--using https://someurl/somefile.bak,[my database]In reply to: 1460392606
shueybubbles
commented
1 year ago if there's a space in the name or the path will the user have to surround the entire parameter with quotes?
In reply to: 1460405555
stuartpa
commented
1 year ago Yes, add an example with --using with a space in the db name (it works, we tested it)
In reply to: 1460405555
shueybubbles
commented
1 year ago String: &c.usingDatabaseUrl,
Is there a way we could change this flag type to a StringSlice and restrict it to only being used once? That could let cobra do the heavy lifting of delimiting the components by the comma, and our code could potentially allow more parameters in the future.
I think the default behavior of StringSlice is to allow the same flag to be used multiple times like
-u f1,f2 -u f3Refers to: cmd/modern/root/install/mssql-base.go:192 in 246bd0e. [](commit_id = 246bd0ee6d8d80eddd658fa719dd6c91d26f6859, deletion_comment = False)
apoorvdeshmukh
commented
1 year ago please add tests. There's a pretty big matrix of input to cover here and the tests need to show what's valid and what's not. We need to handle edge cases that could lead to sql injection if we don't escape the name, etc. Can I pass a local file path like --using "c:\path with a space and a comm,a\path","db space and co,mma" ?
We do not support filesystem paths at the moment. Only http and https. But I will add tests to check what happens if such input is intentionally passed.
apoorvdeshmukh
commented
1 year ago do we want to allow the user to provide the db name as a bracketed identifier? eg
--using https://someurl/somefile.bak,[my database]In reply to: 1460392606
I checked with @stuartpa and for now we will only support URL,DbName where ,DbName is optional.
If there are spaces or commas in the DbName then we would expect user to surround the entire argument of --using with ""
E.g. --using "https://aka.ms/AdventureWorksLT.bak,My Db"
shueybubbles
commented
1 year ago per our meeting - make sure you bracket-escape the name before putting it in a SQL query "https:/server/file.bak,db [name]" ==> [db [name]]]
In reply to: 1461812698
shueybubbles
commented
1 year ago SET @sql = 'RESTORE DATABASE [%s] FROM DISK = ''%s/%s'' WITH '
if databaseName has a ] in it this query becomes a vector for sql injection. Similarly if any of the other parameters have a ' in their value this query will go awry.
Either use a properly parameterized query (go-mssqldb supports parameterized queries) or escape everything appropriately. It's even more complicated here because it's using dynamic SQL. Any values you are adding that have a ' in them may need to be double escaped. Look at the SMO code for guidance/examples.
Refers to: cmd/modern/root/install/mssql-base.go:530 in 7a37b69. [](commit_id = 7a37b697417c615cee774b5bc6d61b9e0a2ea236, deletion_comment = False)
stuartpa
commented
1 year ago We want to incrementally improve the quality of the experience here. There is a quality issue with the experience right now, in that folks don't want to be stuck with the name of the .bak file as the database name. It would improve the experience if we allow a database name to be specified. In the limit we should support a database name that covers the entire input space for T/SQL identifiers, but we don't have to do that in a single PR. It is fine in this PR to limit the input space for the database name so SQL injection is not possible, and enter an issue to widen the input space. What we don't want to see is we end up reducing quality by not thinking through the complete solution for all T/SQL identifier input space in one PR.
shueybubbles
commented
1 year ago We should be able to write a functional test for this in the ADO pipeline. ADO hosted agents have docker on them, so the pipeline should be able to use the sqlcmd it builds to run some permutations on sqlcmd create --using and verify the E2E scenario.
The unit test is insufficient to prove we are doing the right thing with the user input all the way through the download and rename process.
In reply to: 1462251401
apoorvdeshmukh
commented
1 year ago We should be able to write a functional test for this in the ADO pipeline. ADO hosted agents have docker on them, so the pipeline should be able to use the sqlcmd it builds to run some permutations on
sqlcmd create --usingand verify the E2E scenario. The unit test is insufficient to prove we are doing the right thing with the user input all the way through the download and rename process.In reply to: 1462251401
Created #306 to add functional tests for E2E testing scenarios
This commit adds support for specifying database name with
--usingoption by specifying,DbNameat the end of the URL This PR closes #216Example without specifying customized database name, in which case Dbname defaults to the filename without extension
Example with customized database name, in which case Dbname is set to user provided value