This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2021-12-04
Channels
- # admin-announcements (1)
- # adventofcode (98)
- # announcements (5)
- # asami (3)
- # babashka (24)
- # beginners (51)
- # bitcoin (3)
- # calva (24)
- # clj-kondo (73)
- # cljdoc (5)
- # cljs-dev (2)
- # clojure (15)
- # clojure-czech (3)
- # clojure-dev (27)
- # clojure-europe (7)
- # clojure-gamedev (1)
- # clojure-italy (2)
- # clojure-uk (1)
- # conjure (4)
- # cursive (18)
- # datahike (4)
- # datomic (3)
- # deps-new (7)
- # emacs (1)
- # events (10)
- # fulcro (5)
- # honeysql (4)
- # jackdaw (2)
- # java (13)
- # lsp (85)
- # meander (9)
- # membrane (1)
- # minecraft (1)
- # off-topic (45)
- # re-frame (16)
- # sql (17)
- # tools-deps (10)
- # vscode (9)
- # xtdb (8)
So, if one uses https://github.com/seancorfield/next-jdbc/blob/develop/src/next/jdbc/sql.clj#L31
and does (insert! conn "bobby-tables" map-from-evil-user)
is there a way for that map to contain keys or values which would lead to sql-injection, ie, does next-jdbc perform any, some, sufficient sanitation of the map-from-evil-user
?
@slipset I just read over the code in next.jdbc.sql.builder
and I think I could construct a hash map with keys that could lead to injection... So I guess we need an issue to get that fixed đ
The next.jdbc.sql
ns constructs SQL strings, so that's where the danger comes in. If you don't use that ns, you're in control of the actual SQL.
I guess I can leverage col-fn to make my own sanitizations, right? The question is, what can next.jdbc do? It cannot use prep.stmt. for the column names and I am not sure there is a cross-db safe way to ensure the strings are safe. Unless the sql standards specifies valid chars for names and all impls follow it.
HoneySQL also has to deal with this so I can use the same approach.
suspicious #";"]
(when-not *allow-suspicious-entities*
(when (re-find suspicious entity)
(throw (ex-info (str "suspicious character found in entity: " entity)
{:disallowed suspicious}))))
It probably ought to disallow '
and the various stropping characters (`[ ] "` and the backtick (MySQL).
While weâre here. From reading the code, it seems like for-insert
creates a prepared-statement kindâa sql-string, whereas the https://github.com/seancorfield/next-jdbc/blob/develop/src/next/jdbc/sql/builder.clj mentions âSQL stringâ and not prepared statement. I think it would be nice if the docstring mentioned that itâs a prepared statement being constructed?
The docs do say "Under the hood, whenever you ask next.jdbc to execute some SQL (via plan, execute!, execute-one! or the "friendly" SQL functions) it calls prepare to create a java.sql.PreparedStatement, adds in the parameters you provide, and then calls .execute on it." but I guess I could make that clearer in the docstrings too.
And those builders do create "SQL strings".
The builders just return ["SQL string" param1 param2 ..]
and the next.jdbc.sql
functions take those and call execute!
or execute-one!
and those functions create PreparedStatement
objects.
(I guess those docstrings could be more specific about the use of PreparedStatement
s đ )