Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detect misuse of psycopg2.sql.SQL composable #608

Open
wants to merge 12 commits into
base: main
Choose a base branch
from
Open

Detect misuse of psycopg2.sql.SQL composable #608

wants to merge 12 commits into from

Conversation

wtkm11
Copy link

@wtkm11 wtkm11 commented May 1, 2020
edited by ericwb
Loading

Add a plugin test to detect when something other than a string literal is passed to the constructor of the psycopg2.sql.SQL composable object.

See issue #412

Closes #412

@wtkm11
Detect misuse of psycopg2.sql.SQL composable
934dfeb 
Add a plugin test to detect when something other than a string
literal is passed to the constructor of the `psycopg2.sql.SQL`
composable object.

Resolves: PyCQA#412
@wtkm11 wtkm11 mentioned this pull request May 1, 2020
Open
@lukehinds lukehinds self-requested a review May 7, 2020 11:51
ericwb
ericwb reviewed Jul 12, 2022
View reviewed changes
README.rst Outdated Show resolved Hide resolved
ericwb
ericwb requested changes Jul 14, 2022
View reviewed changes
Copy link
Member

@ericwb ericwb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This solution is specific to psycopg2. I'd rather see a fix that can reuse the existing general SQL statements plugin to detect this particular case.

@Changaco
Copy link

This plugin needs to be updated so that it works for psycopg3 in addition to psycopg2.

@ericwb The general plugin injection_sql.py looks for SQL fragments in string literals, whereas this one looks for specific calls with non-literal arguments. Can they and should they really be combined?

If consensus can't be reached on merging this plugin into bandit, then it should be released as a separate package.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ericwb ericwb ericwb requested changes

@lukehinds lukehinds Awaiting requested review from lukehinds lukehinds is a code owner

@sigmavirus24 sigmavirus24 Awaiting requested review from sigmavirus24 sigmavirus24 is a code owner

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Detecting misuse of the psycopg2.sql module
3 participants
@wtkm11 @Changaco @ericwb