Sanitizing property names in queries and creation commands. #172
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In private discussion with @mogui we decided to resolve #169 via a pull request. The security issue was a SQL injection attack vector, exploitable in one location and potentially a few more, that allowed an attacker to change the
WHERE
clause in a query and cause it to return unexpected results. Here is an example query:graph.create_vertex
andgraph.create_edge
also do similar processing of unsanitized kwargs, but it's masked by the call toprops_to_db
so they are currently not exploitable, as far as I could determine.This pull request resolves the problem by sanitizing kwarg arguments to the affected functions. Ideally, it would be merged immediately after #170, which fixes a bug where a newline character in a string field will unexpectedly terminate the query and cause an exception.
Thanks to the maintainers of this repository for promptly acting on my bug report!