You are viewing a plain text version of this content. The canonical link for it is here.
Posted to github@arrow.apache.org by "WillAyd (via GitHub)" <gi...@apache.org> on 2023/05/05 18:21:47 UTC
[GitHub] [arrow-adbc] WillAyd opened a new pull request, #657: fix(c/driver/postgresql): Prevent SQL Injection in GetTableSchema
WillAyd opened a new pull request, #657:
URL: https://github.com/apache/arrow-adbc/pull/657
Looks like a typo allows this to already sneak into the implementation via the table. Open to a better home / structure for the test
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [arrow-adbc] lidavidm commented on a diff in pull request #657: fix(c/driver/postgresql): Prevent SQL Injection in GetTableSchema
Posted by "lidavidm (via GitHub)" <gi...@apache.org>.
lidavidm commented on code in PR #657:
URL: https://github.com/apache/arrow-adbc/pull/657#discussion_r1186467155
##########
c/driver/postgresql/postgresql_test.cc:
##########
@@ -94,6 +95,33 @@ class PostgresConnectionTest : public ::testing::Test,
void TestMetadataGetObjectsTablesTypes() { GTEST_SKIP() << "Not yet implemented"; }
void TestMetadataGetObjectsColumns() { GTEST_SKIP() << "Not yet implemented"; }
+ void TestMetadataGetTableSchema() {
+ // We are overriding to test against SQL injection
+ // TODO: should refactor to provide general pattern for all drivers to test
+ adbc_validation::ConnectionTest::TestMetadataGetTableSchema();
+ adbc_validation::Handle<ArrowSchema> schema;
+ ASSERT_THAT(AdbcConnectionGetTableSchema(&connection, /*catalog=*/nullptr,
+ /*db_schema=*/nullptr,
+ "0'::int; DROP TABLE bulk_ingest;--",
+ &schema.value, &error),
+ IsStatus(ADBC_STATUS_IO, &error));
+
+ ASSERT_THAT(
+ AdbcConnectionGetTableSchema(&connection, /*catalog=*/nullptr,
+ /*db_schema=*/"0'::int; DROP TABLE bulk_ingest;--",
+ "DROP TABLE bulk_ingest;", &schema.value, &error),
+ IsStatus(ADBC_STATUS_IO, &error));
+
+ ASSERT_THAT(AdbcConnectionGetTableSchema(&connection, /*catalog=*/nullptr,
+ /*db_schema=*/nullptr, "bulk_ingest",
+ &schema.value, &error),
+ IsOkStatus(&error));
+
+ ASSERT_NO_FATAL_FAILURE(adbc_validation::CompareSchema(
+ &schema.value, {{"int64s", NANOARROW_TYPE_INT64, true},
Review Comment:
Probably alright to just have it here
##########
c/driver/postgresql/postgresql_test.cc:
##########
@@ -94,6 +95,33 @@ class PostgresConnectionTest : public ::testing::Test,
void TestMetadataGetObjectsTablesTypes() { GTEST_SKIP() << "Not yet implemented"; }
void TestMetadataGetObjectsColumns() { GTEST_SKIP() << "Not yet implemented"; }
+ void TestMetadataGetTableSchema() {
+ // We are overriding to test against SQL injection
+ // TODO: should refactor to provide general pattern for all drivers to test
Review Comment:
You can just add
```cpp
TEST_F(PostgresConnectionTest, MetadataGetTableSchemaInjection) {
// ...
}
```
below instead of overriding here
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [arrow-adbc] WillAyd commented on a diff in pull request #657: fix(c/driver/postgresql): Prevent SQL Injection in GetTableSchema
Posted by "WillAyd (via GitHub)" <gi...@apache.org>.
WillAyd commented on code in PR #657:
URL: https://github.com/apache/arrow-adbc/pull/657#discussion_r1186507313
##########
c/driver/postgresql/postgresql_test.cc:
##########
@@ -94,6 +95,33 @@ class PostgresConnectionTest : public ::testing::Test,
void TestMetadataGetObjectsTablesTypes() { GTEST_SKIP() << "Not yet implemented"; }
void TestMetadataGetObjectsColumns() { GTEST_SKIP() << "Not yet implemented"; }
+ void TestMetadataGetTableSchema() {
+ // We are overriding to test against SQL injection
+ // TODO: should refactor to provide general pattern for all drivers to test
Review Comment:
Very nice. Think I've done this now, but wanted to point out that the parent class of this makes a call like
`ASSERT_NO_FATAL_FAILURE(IngestSampleTable(&connection, &error));`
while I had to change that to
`ASSERT_THAT(quirks()->EnsureSampleTable(&connection, "bulk_ingest", &error), IsOkStatus(&error));`
There's some duplication of features which I'm guessing a refactor of the fixture could solve, but didn't want to try and tackle that now
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [arrow-adbc] WillAyd commented on a diff in pull request #657: fix(c/driver/postgresql): Prevent SQL Injection in GetTableSchema
Posted by "WillAyd (via GitHub)" <gi...@apache.org>.
WillAyd commented on code in PR #657:
URL: https://github.com/apache/arrow-adbc/pull/657#discussion_r1186388190
##########
c/driver/postgresql/postgresql_test.cc:
##########
@@ -94,6 +95,33 @@ class PostgresConnectionTest : public ::testing::Test,
void TestMetadataGetObjectsTablesTypes() { GTEST_SKIP() << "Not yet implemented"; }
void TestMetadataGetObjectsColumns() { GTEST_SKIP() << "Not yet implemented"; }
+ void TestMetadataGetTableSchema() {
+ // We are overriding to test against SQL injection
+ // TODO: should refactor to provide general pattern for all drivers to test
+ adbc_validation::ConnectionTest::TestMetadataGetTableSchema();
+ adbc_validation::Handle<ArrowSchema> schema;
+ ASSERT_THAT(AdbcConnectionGetTableSchema(&connection, /*catalog=*/nullptr,
+ /*db_schema=*/nullptr,
+ "0'::int; DROP TABLE bulk_ingest;--",
+ &schema.value, &error),
+ IsStatus(ADBC_STATUS_IO, &error));
+
+ ASSERT_THAT(
+ AdbcConnectionGetTableSchema(&connection, /*catalog=*/nullptr,
+ /*db_schema=*/"0'::int; DROP TABLE bulk_ingest;--",
+ "DROP TABLE bulk_ingest;", &schema.value, &error),
+ IsStatus(ADBC_STATUS_IO, &error));
+
+ ASSERT_THAT(AdbcConnectionGetTableSchema(&connection, /*catalog=*/nullptr,
+ /*db_schema=*/nullptr, "bulk_ingest",
+ &schema.value, &error),
+ IsOkStatus(&error));
+
+ ASSERT_NO_FATAL_FAILURE(adbc_validation::CompareSchema(
+ &schema.value, {{"int64s", NANOARROW_TYPE_INT64, true},
Review Comment:
The `true` is listed as `NULLABLE` in the parent, but that is defined in an anonymous namespace. Didn't think it was worth moving around, but maybe
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [arrow-adbc] lidavidm merged pull request #657: fix(c/driver/postgresql): Prevent SQL Injection in GetTableSchema
Posted by "lidavidm (via GitHub)" <gi...@apache.org>.
lidavidm merged PR #657:
URL: https://github.com/apache/arrow-adbc/pull/657
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org