-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: dbconn - add requestId info as a comment in the database logs #3110
Conversation
it is pending to add requestId to prepared statements
You can find the image built from this PR at
Built from 1939ba4 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thank you!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approve if we are sure no-one can make SQL inject attack through requestId.
@@ -224,7 +224,8 @@ proc dbConnQuery*( | |||
|
|||
var queryStartTime = getTime().toUnixFloat() | |||
|
|||
(await dbConnWrapper.sendQuery(query, args)).isOkOr: | |||
let reqIdAndQuery = fmt"/* requestId={requestId} */ " & $query |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are we 100% sure that no-one can pass harmful - sqj inject - string with requestId string?
Concatenating it does not seem very secure unless we take special care.
Also wonder if fmt cannot throw exception?!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are we 100% sure that no-one can pass harmful - sqj inject - string with requestId string? Concatenating it does not seem very secure unless we take special care.
Also wonder if fmt cannot throw exception?!
Good points! Thanks! I tackled them in c065116
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you!!!!
@@ -207,13 +207,42 @@ proc waitQueryToFinish( | |||
|
|||
pqclear(pqResult) | |||
|
|||
proc containsRiskyPatterns(input: string): bool = |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Really awesome! I think next time we need to generalize this to apply wherever we think needed. WDYT?
Just an idea, usually what SQL inject attacker use is to trick the comments inside an SQL string, so that must be banned first (sometimes it is just enough to filter out threats).
bcd3099
to
c065116
Compare
Addition of more debug information to the database logs.
It is pending to add requestId to prepared statements and that would require deeper refactor.
Let's see if is enough with that to fine-tune the arbitrary queries