lib/aiodatalite
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: add protection about sql injection

Browse Source
This commit is contained in:
ambertide
2022-05-29 01:32:59 +03:00
parent 6a3cafb920
commit 8a3865a137
8 changed files with 353 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
datalite/datalite_decorator.py
View File

@@ -56,7 +56,7 @@ def _update_entry(self) -> None:
def remove_from(class_: type, obj_id: int):
with sql.connect(getattr(class_, "db_path")) as con:
cur: sql.Cursor = con.cursor()
cur.execute(f"DELETE FROM {class_.__name__.lower()} WHERE obj_id = {obj_id}")
cur.execute(f"DELETE FROM {class_.__name__.lower()} WHERE obj_id = ?", (obj_id, ))
con.commit()

4
datalite/fetch.py
View File

@@ -29,7 +29,7 @@ def is_fetchable(class_: type, obj_id: int) -> bool:
with sql.connect(getattr(class_, 'db_path')) as con:
cur: sql.Cursor = con.cursor()
try:
cur.execute(f"SELECT 1 FROM {class_.__name__.lower()} WHERE obj_id = {obj_id};")
cur.execute(f"SELECT 1 FROM {class_.__name__.lower()} WHERE obj_id = ?;", (obj_id, ))
except sql.OperationalError:
raise KeyError(f"Table {class_.__name__.lower()} does not exist.")
return bool(cur.fetchall())
@@ -47,7 +47,7 @@ def fetch_equals(class_: type, field: str, value: Any, ) -> Any:
table_name = class_.__name__.lower()
with sql.connect(getattr(class_, 'db_path')) as con:
cur: sql.Cursor = con.cursor()
cur.execute(f"SELECT * FROM {table_name} WHERE {field} = {_convert_sql_format(value)};")
cur.execute(f"SELECT * FROM {table_name} WHERE {field} = ?;", (value, ))
obj_id, *field_values = list(cur.fetchone())
field_names: List[str] = _get_table_cols(cur, class_.__name__.lower())
kwargs = dict(zip(field_names, field_values))

1
datalite/mass_actions.py
View File

@@ -83,6 +83,7 @@ def _mass_insert(objects: Union[List[T], Tuple[T]], db_name: str, protect_memory
cur.executescript("BEGIN TRANSACTION;\n" + '\n'.join(sql_queries) + '\nEND TRANSACTION;')
except sql.IntegrityError:
raise ConstraintFailedError
con.commit()
def create_many(objects: Union[List[T], Tuple[T]], protect_memory: bool = True) -> None:

3
datalite/migrations.py
View File

@@ -26,8 +26,7 @@ def _get_db_table(class_: type) -> Tuple[str, str]:
raise FileNotFoundError(f"{database_name} does not exist")
with sql.connect(database_name) as con:
cur: sql.Cursor = con.cursor()
cur.execute(f"SELECT count(*) FROM sqlite_master "
f"WHERE type='table' AND name='{table_name}';")
cur.execute("SELECT count(*) FROM sqlite_master WHERE type='table' AND name=?;", (table_name, ))
count: int = int(cur.fetchone()[0])
if not count:
raise FileExistsError(f"Table, {table_name}, already exists.")