On Fri, Mar 8, 2019 at 6:09 PM Walter Askew <[email protected]> wrote:
>
>
>
> On Mar 8, 2019, at 11:57 AM, Mike Bayer <[email protected]> wrote:
>
> this use is insecure and is not supported. SQLAlchemy's bound
> parameter rendering is only intended for debugging and for special DDL
> scenarios and should not be used for ordinary SQL statements passed to
> a database.
>
>
> Would you mind expanding upon why this use is insecure? What sort of problems
> would you expect to encounter?
> Any suggestions for how you’d put together a secure version of this use case?
Datatypes like Integer() when rendering the literal value pass the
incoming input directly to str() which goes straight to the database.
There is no step to test that the value is actually a number,
things like that. I'd like the literal_binds flag to remain
available as it is extremely useful and necessary for some use cases,
but I don't want it turned into a CVE which would imply a great deal
of effort require to lock it down, when the DBAPIs already perform
this function when used correctly. So it is important that I remain
absolutely clear that the literal_binds flag was not intended to be
used this way.
If this were my project, I'd not struggle with the HTTP interface at
all, I'd get a dump of the entire database and copy it into an actual
database backend and have my users query from that. However, failing
that, I would ensure strong type coercion using a form validation
library (things like, if a field is expected to be an integer, it
makes sure the value is in fact an integer) and I'd probably disallow
quote characters inside of strings. Id ensure that the SQL database
account does not allow any write operations of any kind from this
interface. I'd probably create my own mini-query language on top
that translates into SQL so that there is no direct link between
untrusted users typing commands and what gets sent to any kind of
backend. Basically this is not something I'd be comfortable doing
casually.
>
> --
> SQLAlchemy -
> The Python SQL Toolkit and Object Relational Mapper
>
> http://www.sqlalchemy.org/
>
> To post example code, please provide an MCVE: Minimal, Complete, and
> Verifiable Example. See http://stackoverflow.com/help/mcve for a full
> description.
> ---
> You received this message because you are subscribed to the Google Groups
> "sqlalchemy" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To post to this group, send email to [email protected].
> Visit this group at https://groups.google.com/group/sqlalchemy.
> For more options, visit https://groups.google.com/d/optout.
--
SQLAlchemy -
The Python SQL Toolkit and Object Relational Mapper
http://www.sqlalchemy.org/
To post example code, please provide an MCVE: Minimal, Complete, and Verifiable
Example. See http://stackoverflow.com/help/mcve for a full description.
---
You received this message because you are subscribed to the Google Groups
"sqlalchemy" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/sqlalchemy.
For more options, visit https://groups.google.com/d/optout.
