redash

mirror of https://github.com/valitydev/redash.git synced 2024-11-07 01:25:16 +00:00

History

Omer Lachish 9579f12a83 Protect against SQL injections by using tree comparisons (#3109 ) * add SQLQuery class with tests for safe queries and non-safe tautology attacks * add test for union query injections * split .apply calls to newline * add tests for comment attacks * remove double underscore * extract complex children check to variable * inherit from object because I'm not a lamer Co-Authored-By: rauchy <omer@rauchy.net> * simplify cognitive complexity * check that additional columns are not injected * detect appended queries * inline .apply calls * move SQLQuery to it's own module * move SQLQuery tests to their own module * serialize SQLQuery instances * raise an exception when attempting to serialize an unsafe query * queries without parameters are safe * remove redundant parentheses * use cached properties * rename SQLInjectionException to SQLInjectionError * support multiple word params and param negations * refactor out methods that don't involve any state * don't cache text() * reduce cognitive complexity	2018-12-02 21:51:06 +02:00
..
__init__.py	Protect against SQL injections by using tree comparisons (#3109 )	2018-12-02 21:51:06 +02:00
test_sql_query.py	Protect against SQL injections by using tree comparisons (#3109 )	2018-12-02 21:51:06 +02:00

Omer Lachish 9579f12a83 Protect against SQL injections by using tree comparisons (#3109 )

* add SQLQuery class with tests for safe queries and non-safe tautology attacks

* add test for union query injections

* split .apply calls to newline

* add tests for comment attacks

* remove double underscore

* extract complex children check to variable

* inherit from object because I'm not a lamer

Co-Authored-By: rauchy <omer@rauchy.net>

* simplify cognitive complexity

* check that additional columns are not injected

* detect appended queries

* inline .apply calls

* move SQLQuery to it's own module

* move SQLQuery tests to their own module

* serialize SQLQuery instances

* raise an exception when attempting to serialize an unsafe query

* queries without parameters are safe

* remove redundant parentheses

* use cached properties

* rename SQLInjectionException to SQLInjectionError

* support multiple word params and param negations

* refactor out methods that don't involve any state

* don't cache text()

* reduce cognitive complexity

2018-12-02 21:51:06 +02:00

__init__.py

Protect against SQL injections by using tree comparisons (#3109 )

2018-12-02 21:51:06 +02:00

test_sql_query.py

Protect against SQL injections by using tree comparisons (#3109 )

2018-12-02 21:51:06 +02:00