[SECURITY] SQL injection when handling dict input

There was a SQL injection vulnerability in PyMySQL (CVE-2024-36039), with the root cause in its `converters.py`. asyncmy's cython version of converters seems to have the same issue, which makes asyncmy also vulnerable.

details:

https://github.com/long2ice/asyncmy/blob/2497b7b3f95c94e9ced7dc0e1024fca453f75195/asyncmy/converters.pyx#L29-L34

Only dict values are escaped. This allows SQL injection when dict keys can be controlled by user's input.


	cpdef dict escape_dict(dict val, str charset, mapping: dict = None):
	n = {}
	for k, v in val.items():
	quoted = escape_item(v, charset, mapping)
	n[k] = quoted
	return n

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

[SECURITY] SQL injection when handling dict input #134

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

[SECURITY] SQL injection when handling dict input #134

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions