Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

engine查询增加参数化选项,修改sql参数化方式 #2112

Merged
merged 5 commits into from
Apr 9, 2023

Conversation

hhyo
Copy link
Owner

@hhyo hhyo commented Apr 5, 2023

背景

  • 解决非mysql的数据库查询参数处理过程中存在的SQL注入风险,主要是涉及可由用户传递库、表名等动态参数信息的地方
  • 由于各类数据库参数化处理逻辑不完全一致,并未直接使用MySQLdb.escape_string处理

调整内容

  • 增加escape_string方法,用于处理字符串参数化转义(仅适用于 mysql),主要是为了统一mysql转义入口(最新版的mysqlclient已经移除了escape_string方法:https://github.com/PyMySQL/mysqlclient/pull/511)
  • engine的query、execute方法中扩展parameters参数,用于传递语句参数信息
  • 修改engine内使用格式化动态参数的方法,调整为参数化方式

涉及数据库

  • mysql、mssql、pgsql、oracle、clickhouse、phoenix

涉及模块

  • SQL优化、数据查询、数据字典、数据库管理、实例用户管理、会话管理等

测试

  • 针对调整的数据库重点进行了数据查询、变更工单、数据字典三个模块的测试
  • mysql额外测试了参数管理、数据库管理、实例用户管理、SQL优化等可能受影响的模块
  • phoenix 暂未测试

其他

  • 查询、工单传递的SQL内容本身就是需要直接执行的语句,未做处理

关联问题

参考:https://peps.python.org/pep-0249/#paramstyle

@hhyo hhyo requested review from LeoQuote and nick2wang April 5, 2023 14:43
mongo、oracle支持会话管理
@codecov
Copy link

codecov bot commented Apr 5, 2023

Codecov Report

Patch coverage: 55.83% and project coverage change: +0.01 🎉

Comparison is base (efbaa81) 75.43% compared to head (f01d1ec) 75.44%.

Additional details and impacted files
@@            Coverage Diff             @@
##           master    #2112      +/-   ##
==========================================
+ Coverage   75.43%   75.44%   +0.01%     
==========================================
  Files         103      103              
  Lines       15105    15133      +28     
==========================================
+ Hits        11394    11417      +23     
- Misses       3711     3716       +5     
Impacted Files Coverage Δ
sql/engines/phoenix.py 0.00% <0.00%> (ø)
sql/instance_account.py 10.59% <0.00%> (ø)
sql/instance_database.py 18.27% <0.00%> (ø)
sql/sql_optimize.py 58.37% <0.00%> (-0.87%) ⬇️
sql/tests.py 98.88% <ø> (ø)
sql_api/api_instance.py 69.49% <0.00%> (ø)
sql/instance.py 51.58% <25.00%> (-0.27%) ⬇️
sql/engines/oracle.py 50.68% <36.36%> (ø)
sql/engines/mssql.py 69.90% <57.89%> (-0.30%) ⬇️
sql/engines/mysql.py 77.74% <63.15%> (+0.76%) ⬆️
... and 8 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

@LeoQuote
Copy link
Collaborator

LeoQuote commented Apr 5, 2023

还得是大佬, 一出手全修了

@hhyo
Copy link
Owner Author

hhyo commented Apr 6, 2023

还得是大佬, 一出手全修了

得空review一下... 整这些测试环境老费事

@hhyo hhyo merged commit 7921044 into master Apr 9, 2023
@hhyo hhyo deleted the fix_sql_injection branch April 9, 2023 10:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants