[ckan-changes] [ckan/ckan] ebe7f3: [#1725] datastore_search_sql validates being calle...

GitHub noreply at github.com
Tue Jun 10 02:33:04 UTC 2014 

  Branch: refs/heads/1725-extend-datastore
  Home:   https://github.com/ckan/ckan
  Commit: ebe7f38c2e845eb10466691e977a1332dd7b22bf
      https://github.com/ckan/ckan/commit/ebe7f38c2e845eb10466691e977a1332dd7b22bf
  Author: Vitor Baptista <vitor at vitorbaptista.com>
  Date:   2014-06-09 (Mon, 09 Jun 2014)

  Changed paths:
    M ckanext/datastore/db.py
    M ckanext/datastore/logic/action.py
    M ckanext/datastore/tests/test_search.py
    M ckanext/datastore/tests/test_unit.py
    M requirements.in
    M requirements.txt

  Log Message:
  -----------
  [#1725] datastore_search_sql validates being called with single statement

We're using sqlparse to actually parse the SQL string and make sure it's a
single statement. That means we can be more sure that the user is providing us
with a single statement, and we support SQL statements with semicolons, like
'SELECT * FROM "foo;bar"'.

This is a first step towards avoiding multiple statements even on
datastore_search and datastore_delete, to make our code a bit safer against SQL
Injection vectors.


  Commit: 1b0b4054816286143af27381dd3996e167544484
      https://github.com/ckan/ckan/commit/1b0b4054816286143af27381dd3996e167544484
  Author: Vitor Baptista <vitor at vitorbaptista.com>
  Date:   2014-06-09 (Mon, 09 Jun 2014)

  Changed paths:
    M ckanext/datastore/db.py
    M ckanext/datastore/helpers.py
    M ckanext/datastore/logic/action.py
    M ckanext/datastore/tests/test_helpers.py
    M ckanext/datastore/tests/test_unit.py

  Log Message:
  -----------
  [#1725] Move is_single_statement() to datastore_helpers

It was already being used by datastore_search_sql, so it isn't private. That
being the case, we'd better make it look like it's not private.


  Commit: b4befddbf423b6bd6e4b2b02919e78da6421ce0a
      https://github.com/ckan/ckan/commit/b4befddbf423b6bd6e4b2b02919e78da6421ce0a
  Author: Vitor Baptista <vitor at vitorbaptista.com>
  Date:   2014-06-09 (Mon, 09 Jun 2014)

  Changed paths:
    M ckanext/datastore/db.py
    M ckanext/datastore/tests/sample_datastore_plugin.py
    M ckanext/datastore/tests/test_interface.py

  Log Message:
  -----------
  [#1725] datastore_search and _delete don't work with multiple statements

What we're trying to avoid is for an insecure extension to allow a malicious
user to create queries like:

```
SELECT * FROM "foo" WHERE (1=1); DELETE FROM "foo"; -- AND "bar"='5');
```

This doesn't avoid all possible SQL injection vectors, but it's one less issue
to worry about.


Compare: https://github.com/ckan/ckan/compare/cfa4e6f9361e...b4befddbf423

More information about the ckan-changes mailing list