sfc-gh-gjachimko
commented
4 days ago Thanks for your comment. We will have a look at that internally!
Open rockwotj opened 2 weeks ago
sfc-gh-gjachimko
commented
4 days ago Thanks for your comment. We will have a look at that internally!
Hello in reviewing the code in this repo, I noticed the schema evolution feature has a SQL injection possibility.
The query is constructed by inserting the new column names directly into the query there: https://github.com/snowflakedb/snowflake-kafka-connector/blob/d6ed5e19d03e81dad1f6[…]lake/kafka/connector/internal/SnowflakeConnectionServiceV1.java
As far as I can tell, the column name is quoted, but not in a robust manner, so one could inject another SQL statement inside of column name if the data coming in is untrusted. https://github.com/snowflakedb/snowflake-kafka-connector/blob/d6ed5e19d03e81dad1f6[…]1b845054/src/main/java/com/snowflake/kafka/connector/Utils.java
I think quoteIfNeeded needs to escape double quotes so that SQL injection isn't possible, and if the string is already quoted verify the quotes are properly escaped, otherwise the string should be quoted and escaped as a whole (or throw an exception?).