Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Quote identifiers in SQL functions using EXECUTE (20.08) #1192

Merged
merged 4 commits into from
Jul 15, 2020
Merged

Quote identifiers in SQL functions using EXECUTE (20.08) #1192

merged 4 commits into from
Jul 15, 2020

Conversation

timopollmeier
Copy link
Member

@timopollmeier timopollmeier commented Jul 13, 2020
edited
Loading

PL/pgSQL functions that build EXECUTE statements with schema, relation
or column names passed as parameters should quote them to ensure they
are always interpreted as identifiers.

Checklist:

@timopollmeier
Quote identifiers in SQL functions using EXECUTE
61ef09d 
PL/pgSQL functions that build EXECUTE statements with schema, relation
or column names passed as parameters should quote them to ensure they
are always interpreted as identifiers.
@timopollmeier timopollmeier changed the title Quote identifiers in SQL functions using EXECUTE Quote identifiers in SQL functions using EXECUTE (20.08) Jul 13, 2020
@timopollmeier timopollmeier marked this pull request as ready for review July 13, 2020 15:19
@mattmundell
Copy link
Contributor

Could you give some examples of what cases this is catching?

Wouldn't it be better to check the text before passing it to EXECUTE?

And try_exclusive_lock is only called once. How about renaming it try_exclusive_lock_reports?

@timopollmeier
Copy link
Member Author

Could you give some examples of what cases this is catching?

This is meant to catch any case where the function parameters are not referring to schemas, tables or columns as intended, but I was thinking of ones where they are maliciously manipulated.

Wouldn't it be better to check the text before passing it to EXECUTE?

I guess that would make sense as an addition check. I was thinking of the flexibility PostgreSQL offers for the identifier names, but it may not be too complex if we just allow the cases we actually use.

And try_exclusive_lock is only called once. How about renaming it try_exclusive_lock_reports?

I didn't want to specialize the function too much, but if no use case for other tables has shown up, I could change the function to only lock the reports table.

@mattmundell mattmundell reopened this Jul 15, 2020
@mattmundell mattmundell merged commit a574aae into greenbone:gvmd-20.08 Jul 15, 2020
@timopollmeier timopollmeier deleted the sql-execute-quoting-20.08 branch October 15, 2021 10:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mattmundell mattmundell mattmundell approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@timopollmeier @mattmundell