Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: dbconn - add requestId info as a comment in the database logs #3110

Merged
merged 3 commits into from
Oct 15, 2024

Conversation

Ivansete-status
Copy link
Collaborator

@Ivansete-status Ivansete-status commented Oct 11, 2024

Addition of more debug information to the database logs.
It is pending to add requestId to prepared statements and that would require deeper refactor.
Let's see if is enough with that to fine-tune the arbitrary queries

it is pending to add requestId to prepared statements
Copy link

github-actions bot commented Oct 11, 2024

You can find the image built from this PR at

quay.io/wakuorg/nwaku-pr:3110

Built from 1939ba4

@Ivansete-status Ivansete-status marked this pull request as ready for review October 11, 2024 15:18
Copy link
Contributor

@gabrielmer gabrielmer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thank you!

Copy link
Contributor

@NagyZoltanPeter NagyZoltanPeter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approve if we are sure no-one can make SQL inject attack through requestId.

@@ -224,7 +224,8 @@ proc dbConnQuery*(

var queryStartTime = getTime().toUnixFloat()

(await dbConnWrapper.sendQuery(query, args)).isOkOr:
let reqIdAndQuery = fmt"/* requestId={requestId} */ " & $query
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we 100% sure that no-one can pass harmful - sqj inject - string with requestId string?
Concatenating it does not seem very secure unless we take special care.

Also wonder if fmt cannot throw exception?!

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we 100% sure that no-one can pass harmful - sqj inject - string with requestId string? Concatenating it does not seem very secure unless we take special care.

Also wonder if fmt cannot throw exception?!

Good points! Thanks! I tackled them in c065116

Copy link
Contributor

@NagyZoltanPeter NagyZoltanPeter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!!!!

@@ -207,13 +207,42 @@ proc waitQueryToFinish(

pqclear(pqResult)

proc containsRiskyPatterns(input: string): bool =
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Really awesome! I think next time we need to generalize this to apply wherever we think needed. WDYT?
Just an idea, usually what SQL inject attacker use is to trick the comments inside an SQL string, so that must be banned first (sometimes it is just enough to filter out threats).

@Ivansete-status Ivansete-status merged commit 30c072a into master Oct 15, 2024
8 of 11 checks passed
@Ivansete-status Ivansete-status deleted the request-id-in-queries branch October 15, 2024 07:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants