Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: possible unauthenticated SQL injection when login #1383

Merged
merged 3 commits into from
Dec 8, 2023

Conversation

jczhong84
Copy link
Collaborator

when sending an object insdie the username like:

POST /ds/login/ HTTP/1.1
Host: localhost:10001

{"username":{"test":1},"password":"test"}

will get

"(pymysql.err.ProgrammingError) (1064, \"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''test': '1'} \\n LIMIT 1' at line 3\")\n[SQL: SELECT user.password AS user_password, user.id AS user_id, user.username AS user_username, user.fullname AS user_fullname, user.email AS user_email, user.profile_img AS user_profile_img, user.deleted AS user_deleted, user.is_group AS user_is_group, user.properties AS user_properties \nFROM user \nWHERE user.username = %(username_1)s \n LIMIT %(param_1)s]\n[parameters: {'username_1': {'test': 1}, 'param_1': 1}]\n(Background on this error at: https://sqlalche.me/e/14/f405)",
  "host": "2297766a08be",
  "traceback": "Traceback (most recent call last):\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/engine/base.py\", line 1819, in _execute_context\n    self.dialect.do_execute(\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/engine/default.py\", line 732, in do_execute\n    cursor.execute(statement, parameters)\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/cursors.py\", line 148, in execute\n    result = self._query(query)\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/cursors.py\", line 310, in _query\n    conn.query(q)\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/connections.py\", line 548, in query\n    self._affected_rows = self._read_query_result(unbuffered=unbuffered)\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/connections.py\", line 775, in _read_query_result\n    result.read()\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/connections.py\", line 1156, in read\n    first_packet = self.connection._read_packet()\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/connections.py\", line 725, in _read_packet\n    packet.raise_for_error()\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/protocol.py\", line 221, in raise_for_error\n    err.raise_mysql_exception(self._data)\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/err.py\", line 143, in raise_mysql_exception\n    raise errorclass(errno, errval)\npymysql.err.ProgrammingError: (1064, \"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''test': '1'} \\n LIMIT 1' at line 3\")\n\nThe above exception was the direct cause of the following exception:\n\nTraceback (most recent call last):\n  File \"/opt/querybook/querybook/server/app/datasource.py\", line 84, in handler\n    results = fn(**kwargs)\n  File \"/opt/querybook/querybook/server/app/auth/password_auth.py\", line 50, in login_user_endpoint\n    user = authenticate(username, password, session=session)\n  File \"/opt/querybook/querybook/server/app/db.py\", line 136, in func\n    return fn(*args, **kwargs)\n  File \"/opt/querybook/querybook/server/app/auth/password_auth.py\", line 35, in authenticate\n    user = get_user_by_name(username, session=session)\n  File \"/opt/querybook/querybook/server/app/db.py\", line 136, in func\n    return fn(*args, **kwargs)\n  File \"/opt/querybook/querybook/server/logic/user.py\", line 35, in get_user_by_name\n    return User.get(username=username, session=session)\n  File \"/opt/querybook/querybook/server/app/db.py\", line 136, in func\n    return fn(*args, **kwargs)\n  File \"/opt/querybook/querybook/server/lib/sqlalchemy/__init__.py\", line 77, in get\n    return query.first()\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/orm/query.py\", line 2819, in first\n    return self.limit(1)._iter().first()\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/orm/query.py\", line 2903, in _iter\n    result = self.session.execute(\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/orm/session.py\", line 1712, in execute\n    result = conn._execute_20(statement, params or {}, execution_options)\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/engine/base.py\", line 1631, in _execute_20\n    return meth(self, args_10style, kwargs_10style, execution_options)\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/sql/elements.py\", line 332, in _execute_on_connection\n    return connection._execute_clauseelement(\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/engine/base.py\", line 1498, in _execute_clauseelement\n    ret = self._execute_context(\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/engine/base.py\", line 1862, in _execute_context\n    self._handle_dbapi_exception(\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/engine/base.py\", line 2043, in _handle_dbapi_exception\n    util.raise_(\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/util/compat.py\", line 208, in raise_\n    raise exception\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/engine/base.py\", line 1819, in _execute_context\n    self.dialect.do_execute(\n  File \"/usr/local/lib/python3.9/site-packages/sqlalchemy/engine/default.py\", line 732, in do_execute\n    cursor.execute(statement, parameters)\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/cursors.py\", line 148, in execute\n    result = self._query(query)\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/cursors.py\", line 310, in _query\n    conn.query(q)\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/connections.py\", line 548, in query\n    self._affected_rows = self._read_query_result(unbuffered=unbuffered)\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/connections.py\", line 775, in _read_query_result\n    result.read()\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/connections.py\", line 1156, in read\n    first_packet = self.connection._read_packet()\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/connections.py\", line 725, in _read_packet\n    packet.raise_for_error()\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/protocol.py\", line 221, in raise_for_error\n    err.raise_mysql_exception(self._data)\n  File \"/usr/local/lib/python3.9/site-packages/pymysql/err.py\", line 143, in raise_mysql_exception\n    raise errorclass(errno, errval)\nsqlalchemy.exc.ProgrammingError: (pymysql.err.ProgrammingError) (1064, \"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''test': '1'} \\n LIMIT 1' at line 3\")\n[SQL: SELECT user.password AS user_password, user.id AS user_id, user.username AS user_username, user.fullname AS user_fullname, user.email AS user_email, user.profile_img AS user_profile_img, user.deleted AS user_deleted, user.is_group AS user_is_group, user.properties AS user_properties \nFROM user \nWHERE user.username = %(username_1)s \n LIMIT %(param_1)s]\n[parameters: {'username_1': {'test': 1}, 'param_1': 1}]\n(Background on this error at: https://sqlalche.me/e/14/f405)\n

@czgu czgu merged commit 7214963 into pinterest:master Dec 8, 2023
3 checks passed
aidenprice pushed a commit to arrowtail-precision/querybook that referenced this pull request Jan 3, 2024
* fix: possible unauthenticated SQL injection when login

* add to api layer

* update ldap_auth
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants