Description
Proposal:
Add a way to bind parameters to any query (i.e. query_api.query_data_frame)
Current behavior:
If I want to make an flux query i.e.:
query_api.query_data_frame(f'from(bucket: \"{self.query_bucket}\") |> range(start: {self.dt_to_influx(dt_from)}, stop: {self.dt_to_influx(dt_to)}) |> filter(fn: (r) => r["_measurement"] == "{<user_input_signals_string>}") |> filter(fn: (r) => r["_field"] == "value") |> aggregateWindow(every: {sampling}s, fn: median, createEmpty: true) |> yield(name: "median")')
It is unsafe by the OWASP standard as I'd have to bind the parameters.
Desired behavior:
I'd like the quer_data_frame function to have an bind_parameters/params optional input, where I could put an dictionary for those inputs, with their types.
Alternatives considered:
I could filter the strings, but it is considered unsafe by the OWASP. I found, there is a "sanitize_for_serialization" method in the api_client.call_api code, but _query_api.post_query in query_api ommits this same as function query_data_frame_stream used by query_data_frame.
Use case:
I must have safe code as it is part of critical structure.