Browse Source

Forbid SQL injection by checking unbalanced parenthesis

pull/245/head
Guewen Baconnier 9 years ago
parent
commit
f76213c6d8
  1. 33
      sql_view/models/sql_view.py

33
sql_view/models/sql_view.py

@ -59,10 +59,43 @@ class SQLView(orm.Model):
records = self.browse(cr, uid, ids, context=context) records = self.browse(cr, uid, ids, context=context)
return all(PG_NAME_RE.match(record.sql_name) for record in records) return all(PG_NAME_RE.match(record.sql_name) for record in records)
def _check_definition(self, cr, uid, ids, context=None):
""" Forbid a SQL definition with unbalanced parenthesis.
The reason is that the view's definition will be enclosed in:
CREATE VIEW {view_name} AS ({definition})
The parenthesis around the definition prevent users to inject
and execute arbitrary queries after the SELECT part (by using a
semicolon). However, it would still be possible to craft a
definition like the following which would close the parenthesis
and start a new query:
SELECT * FROM res_users); DELETE FROM res_users WHERE id IN (1
This is no longer possible if we ensure that we don't have an
unbalanced closing parenthesis.
"""
for record in self.browse(cr, uid, ids, context=context):
balanced = 0
for char in record.definition:
if char == '(':
balanced += 1
elif char == ')':
balanced -= 1
if balanced == -1:
return False
return True
_constraints = [ _constraints = [
(_check_sql_name, (_check_sql_name,
'The SQL name is not a valid PostgreSQL identifier', 'The SQL name is not a valid PostgreSQL identifier',
['sql_name']), ['sql_name']),
(_check_definition,
'This SQL definition is not allowed',
['definition']),
] ]
def _sql_view_comment(self, cr, uid, sql_view, context=None): def _sql_view_comment(self, cr, uid, sql_view, context=None):

Loading…
Cancel
Save