Security Alert: Blacklist not working π
avi-perl opened this issue Β· comments
My settings:
EXPLORER_SQL_BLACKLIST = (
"ALTER",
"CREATE TABLE",
"DELETE",
"DROP",
"GRANT",
"INSERT INTO",
"OWNER TO",
"RENAME ",
"REPLACE",
"SCHEMA",
"TRUNCATE",
"UPDATE",
)
EXPLORER_SQL_WHITELIST = "REGEXP_REPLACE"
My query, running successfully in saved and playground queries.
UPDATE users SET username = 'something_else' where id = 1
Ultimately, the real solution for me will be a read-only user in the DB, but this is a fairly significant security flaw!
The last change to the blacklist check was meant to improve a bug in it at the time and can be found here;
0f074cd#diff-32d6fb9b8f63c9448ae3557a4171d5e1e7809a1bf05b7f49088f24ddd6d27bca
This should fail now in the latest master branch with the following error
Query failed the SQL blacklist: SET, UPDATE
This fix will be included in the next release.