opennewzealand / linz2osm

Some tools for helping move LINZ data into OpenStreetMap
http://wiki.openstreetmap.org/wiki/LINZ
GNU General Public License v3.0
23 stars 2 forks source link

Turn restrictions #122

Closed stephend closed 9 years ago

stephend commented 9 years ago

https://github.com/opennewzealand/linz2osm/issues/115

Current status:

rcoup commented 9 years ago

I'm concerned at the amount of raw SQL string construction - is there a way we can sanitise/check layer & attribute names to ensure no spaces/semicolons/quotes/etc? Maybe just via a Django model RegexValidator

stephend commented 9 years ago

is there a way we can sanitise/check layer & attribute names to ensure no spaces/semicolons/quotes/etc?

I take your point, but we can't simply use validation. Layers can only be created through the admin interface, and attribute names are pulled directly from database column names. That's not to suggest that admins (or people who host data services that we pull from) can't inject things, but it's not something random people can do. Even then, layer and attribute names are sanitised when we load them into the database...

If you're deeply concerned about the SQL construction, it'll have to be through escaping at string construction time.

rcoup commented 9 years ago

Even then, layer and attribute names are sanitised when we load them into the database...

So, isn't that an acceptable approach then? If ;foo.bar-- isn't an acceptable layer name & it gets sanitised then errors caused by bad names shouldn't happen.

stephend commented 9 years ago

So, isn't that an acceptable approach then? If ;foo.bar-- isn't an acceptable layer name & it gets sanitised then errors caused by bad names shouldn't happen.

Yeah, there's no actual way to exploit this in practice unless you /already/ have write access to the database. It doesn't hugely concern me, except that the chain of things protecting it is fairly long and complicated, rather than being Defence In Depth.

rcoup commented 9 years ago

It's more about weird names causing SQL crashes than malicious intent. Since as you say, users who can mess with it already have DB access

stephend commented 9 years ago

It's more about weird names causing SQL crashes than malicious intent. Since as you say, users who can mess with it already have DB access

Fair enough. That said, it doesn't seem quite so urgent, given how concerned we are with getting turn restrictions done ASAP. I'll ticket separately?

rcoup commented 9 years ago

Even then, layer and attribute names are sanitised when we load them into the database...

From that^ I was assuming it's already done? (if not, ticket separately)

stephend commented 9 years ago

From that^ I was assuming it's already done? (if not, ticket separately)

They're done in the helper scripts that load the data into the database from source (by ogr2ogr, which has an option to sanitise names to things that don't need double-quotes in SQL).

Which seems fairly disconnected from the actual use of that information: in particular, there's nothing to require sanitisation if someone loads in data directly from a geo database, or without using a helper script.

rcoup commented 9 years ago

LGTM, could the turn angle bit have some docs just to make it clear what's what and where it comes from?