Skip to content

Commit

Permalink
Use spaces instead of parentheses for SQL sanitization.
Browse files Browse the repository at this point in the history 
This still solves the problem of negative numbers creating a line
comment, but this avoids breaking edge cases such as `set foo to $1`
where the substition is taking place in a location where an arbitrary
expression is not allowed.
  • Loading branch information
@jackc
jackc committed Mar 9, 2024
1 parent 14690df commit 69fcb46
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 12 deletions.
2 changes: 1 addition & 1 deletion internal/sanitize/sanitize.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ func (q *Query) Sanitize(args ...interface{}) (string, error) {

// Prevent SQL injection via Line Comment Creation
// https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p
str = "(" + str + ")"
str = " " + str + " "
default:
return "", fmt.Errorf("invalid Part type: %T", part)
}
Expand Down
22 changes: 11 additions & 11 deletions internal/sanitize/sanitize_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -132,57 +132,57 @@ func TestQuerySanitize(t *testing.T) {
{
query: sanitize.Query{Parts: []sanitize.Part{"select ", 1}},
args: []interface{}{int64(42)},
expected: `select (42)`,
expected: `select 42 `,
},
{
query: sanitize.Query{Parts: []sanitize.Part{"select ", 1}},
args: []interface{}{float64(1.23)},
expected: `select (1.23)`,
expected: `select 1.23 `,
},
{
query: sanitize.Query{Parts: []sanitize.Part{"select ", 1}},
args: []interface{}{true},
expected: `select (true)`,
expected: `select true `,
},
{
query: sanitize.Query{Parts: []sanitize.Part{"select ", 1}},
args: []interface{}{[]byte{0, 1, 2, 3, 255}},
expected: `select ('\x00010203ff')`,
expected: `select '\x00010203ff' `,
},
{
query: sanitize.Query{Parts: []sanitize.Part{"select ", 1}},
args: []interface{}{nil},
expected: `select (null)`,
expected: `select null `,
},
{
query: sanitize.Query{Parts: []sanitize.Part{"select ", 1}},
args: []interface{}{"foobar"},
expected: `select ('foobar')`,
expected: `select 'foobar' `,
},
{
query: sanitize.Query{Parts: []sanitize.Part{"select ", 1}},
args: []interface{}{"foo'bar"},
expected: `select ('foo''bar')`,
expected: `select 'foo''bar' `,
},
{
query: sanitize.Query{Parts: []sanitize.Part{"select ", 1}},
args: []interface{}{`foo\'bar`},
expected: `select ('foo\''bar')`,
expected: `select 'foo\''bar' `,
},
{
query: sanitize.Query{Parts: []sanitize.Part{"insert ", 1}},
args: []interface{}{time.Date(2020, time.March, 1, 23, 59, 59, 999999999, time.UTC)},
expected: `insert ('2020-03-01 23:59:59.999999Z')`,
expected: `insert '2020-03-01 23:59:59.999999Z' `,
},
{
query: sanitize.Query{Parts: []sanitize.Part{"select 1-", 1}},
args: []interface{}{int64(-1)},
expected: `select 1-(-1)`,
expected: `select 1- -1 `,
},
{
query: sanitize.Query{Parts: []sanitize.Part{"select 1-", 1}},
args: []interface{}{float64(-1)},
expected: `select 1-(-1)`,
expected: `select 1- -1 `,
},
}

Expand Down

0 comments on commit 69fcb46

Please sign in to comment.