Skip to content

Commit

Permalink
Fix sql injection for Neural Solution gRPC (#1879)
Browse files Browse the repository at this point in the history 
Signed-off-by: Kaihui-intel <[email protected]>
  • Loading branch information
@Kaihui-intel
Kaihui-intel authored Jun 28, 2024
1 parent 4ae2e87 commit 4372a76
Showing 1 changed file with 19 additions and 12 deletions.
31 changes: 19 additions & 12 deletions neural_solution/frontend/utility.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -140,30 +140,37 @@ def submit_task_to_db(task, task_submitter, db_path):
status = "failed"
task_id = "-1"
result = {"status": status, "task_id": task_id, "msg": msg}
if not is_valid_task(task.__dict__):
return result
if os.path.isfile(db_path):
conn = sqlite3.connect(db_path)
cursor = conn.cursor()
task_id = str(uuid.uuid4()).replace("-", "")
sql = (
r"insert into task(id, script_url, optimized, arguments, approach, requirements, workers, status)"
+ r" values ('{}', '{}', {}, '{}', '{}', '{}', {}, 'pending')".format(
task_id,
task.script_url,
task.optimized,
list_to_string(task.arguments),
task.approach,
list_to_string(task.requirements),
task.workers,
)
"INSERT INTO task "
"(id, script_url, optimized, arguments, approach, requirements, workers, status) "
"VALUES (?, ?, ?, ?, ?, ?, ?, 'pending')"
)
cursor.execute(sql)

task_params = (
task_id,
task.script_url,
task.optimized,
list_to_string(task.arguments),
task.approach,
list_to_string(task.requirements),
task.workers,
)

conn.execute(sql, task_params)
conn.commit()
try:
task_submitter.submit_task(task_id)
except ConnectionRefusedError:
msg = "Task Submitted fail! Make sure neural solution runner is running!"
except Exception as e:
msg = "Task Submitted fail! {}".format(e)
msg = "Task Submitted fail!"
print(f"{msg} {e}")
conn.close()
status = "successfully"
msg = "Task submitted successfully"
Expand Down

0 comments on commit 4372a76

Please sign in to comment.