Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: changed query to accept user input in prepared sql statement #2652

Merged
merged 5 commits into from
Nov 4, 2022
Merged

fix: changed query to accept user input in prepared sql statement #2652

merged 5 commits into from
Nov 4, 2022

Conversation

deepakrai9185720
Copy link
Contributor

@deepakrai9185720 deepakrai9185720 commented Nov 4, 2022
edited
Loading

Description

Github reported few vulnerability. Mentioning the slack conversation:
https://rudderlabs.slack.com/archives/C049T5P2Z97/p1667507291386099

Notion Ticket

https://www.notion.so/rudderstacks/SQL-injection-vulnerability-in-TriggerWHUploads-rudder-server-25b7e45711034ad7889f458ad24768b0

Security

  • The code changed/added as part of this pull request won't create any security issues with how the software is being used.

@deepakrai9185720 deepakrai9185720 changed the title Changed query to accept user input in prepared sql statement fix: changed query to accept user input in prepared sql statement Nov 4, 2022
@codecov
Copy link

codecov bot commented Nov 4, 2022
edited
Loading

Codecov Report

Base: 43.74% // Head: 43.76% // Increases project coverage by +0.02% 🎉

Coverage data is based on head (88e8ea8) compared to base (00ba231).
Patch coverage: 37.50% of modified lines in pull request are covered.

❗ Current head 88e8ea8 differs from pull request most recent head 8bc8242. Consider uploading reports for the commit 8bc8242 to get more accurate results

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #2652      +/-   ##
==========================================
+ Coverage   43.74%   43.76%   +0.02%     
==========================================
  Files         187      187              
  Lines       39993    39999       +6     
==========================================
+ Hits        17494    17505      +11     
+ Misses      21403    21395       -8     
- Partials     1096     1099       +3
Impacted Files Coverage Δ
warehouse/warehouse.go 8.68% <37.50%> (-0.15%) ⬇️
services/rsources/handler.go 69.72% <0.00%> (-1.39%) ⬇️
processor/processor.go 72.02% <0.00%> (+0.77%) ⬆️
config/backend-config/namespace_config.go 73.95% <0.00%> (+3.12%) ⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

lvrach
lvrach reviewed Nov 4, 2022
View reviewed changes
warehouse/warehouse.go
Comment on lines 1812 to 1813
warehouseutils.WarehouseUploadsTable,
sourceOrDestId,
sourceOrDestColumn,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ideally, we need to use pq.QuoteIdentifier for table/column names as well.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done for the said variable. Doing it for the whole code will take time. Should we do it after as soon as get some bandwidth? Wdyt?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, let's discuss further refactoring and prioritise accordingly.

warehouse/warehouse.go Outdated Show resolved Hide resolved
warehouse/warehouse.go Outdated Show resolved Hide resolved
lvrach
lvrach approved these changes Nov 4, 2022
View reviewed changes
Copy link
Member

@lvrach lvrach left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With some minor comments

achettyiitr
achettyiitr requested changes Nov 4, 2022
View reviewed changes
warehouse/warehouse.go Outdated Show resolved Hide resolved
@deepakrai9185720 deepakrai9185720 merged commit 2f956b7 into master Nov 4, 2022
This was referenced Nov 4, 2022
Closed
Merged
Merged
Merged
Merged
Closed
Closed
This was referenced Dec 1, 2022
Closed
Merged
Merged
@github-actions github-actions bot deleted the fix.pendingEventSqlQueries branch January 5, 2023 02:08
@GoVulnBot GoVulnBot mentioned this pull request Jun 16, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lvrach lvrach lvrach approved these changes

@achettyiitr achettyiitr achettyiitr approved these changes

Assignees
No one assigned
Labels
warehouse-team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@deepakrai9185720 @lvrach @achettyiitr