Skip to content

Commit

Permalink
Always wrap arguments in parentheses in the SQL sanitizer
Browse files Browse the repository at this point in the history
  • Loading branch information
jackc committed Mar 4, 2024
1 parent 826a892 commit f94eb0e
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 20 deletions.
14 changes: 4 additions & 10 deletions internal/sanitize/sanitize.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,18 +44,8 @@ func (q *Query) Sanitize(args ...interface{}) (string, error) {
str = "null"
case int64:
str = strconv.FormatInt(arg, 10)
// Prevent SQL injection via Line Comment Creation
// https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p
if arg < 0 {
str = "(" + str + ")"
}
case float64:
// Prevent SQL injection via Line Comment Creation
// https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p
str = strconv.FormatFloat(arg, 'f', -1, 64)
if arg < 0 {
str = "(" + str + ")"
}
case bool:
str = strconv.FormatBool(arg)
case []byte:
Expand All @@ -68,6 +58,10 @@ func (q *Query) Sanitize(args ...interface{}) (string, error) {
return "", fmt.Errorf("invalid arg type: %T", arg)
}
argUse[argIdx] = true

// Prevent SQL injection via Line Comment Creation
// https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p
str = "(" + str + ")"
default:
return "", fmt.Errorf("invalid Part type: %T", part)
}
Expand Down
20 changes: 10 additions & 10 deletions internal/sanitize/sanitize_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -127,52 +127,52 @@ func TestQuerySanitize(t *testing.T) {
{
query: sanitize.Query{Parts: []sanitize.Part{"select 42"}},
args: []interface{}{},
expected: `select 42`,
expected: `select (42)`,
},
{
query: sanitize.Query{Parts: []sanitize.Part{"select ", 1}},
args: []interface{}{int64(42)},
expected: `select 42`,
expected: `select (42)`,
},
{
query: sanitize.Query{Parts: []sanitize.Part{"select ", 1}},
args: []interface{}{float64(1.23)},
expected: `select 1.23`,
expected: `select (1.23)`,
},
{
query: sanitize.Query{Parts: []sanitize.Part{"select ", 1}},
args: []interface{}{true},
expected: `select true`,
expected: `select (true)`,
},
{
query: sanitize.Query{Parts: []sanitize.Part{"select ", 1}},
args: []interface{}{[]byte{0, 1, 2, 3, 255}},
expected: `select '\x00010203ff'`,
expected: `select ('\x00010203ff')`,
},
{
query: sanitize.Query{Parts: []sanitize.Part{"select ", 1}},
args: []interface{}{nil},
expected: `select null`,
expected: `select (null)`,
},
{
query: sanitize.Query{Parts: []sanitize.Part{"select ", 1}},
args: []interface{}{"foobar"},
expected: `select 'foobar'`,
expected: `select ('foobar')`,
},
{
query: sanitize.Query{Parts: []sanitize.Part{"select ", 1}},
args: []interface{}{"foo'bar"},
expected: `select 'foo''bar'`,
expected: `select ('foo''bar')`,
},
{
query: sanitize.Query{Parts: []sanitize.Part{"select ", 1}},
args: []interface{}{`foo\'bar`},
expected: `select 'foo\''bar'`,
expected: `select ('foo\''bar')`,
},
{
query: sanitize.Query{Parts: []sanitize.Part{"insert ", 1}},
args: []interface{}{time.Date(2020, time.March, 1, 23, 59, 59, 999999999, time.UTC)},
expected: `insert '2020-03-01 23:59:59.999999Z'`,
expected: `insert ('2020-03-01 23:59:59.999999Z')`,
},
{
query: sanitize.Query{Parts: []sanitize.Part{"select 1-", 1}},
Expand Down

0 comments on commit f94eb0e

Please sign in to comment.