Giters

microsoft / aerial_wildlife_detection

Tools for detecting wildlife in aerial images using active learning

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

SQL injection

frafra opened this issue · comments

commented

aerial_wildlife_detection/projectCreation/import_images.py

Lines 80 to 82 in de150d0

imgs_existing = dbConn.execute('''
SELECT filename FROM {}.image;
'''.format(dbSchema), None, 'all')

aerial_wildlife_detection/projectCreation/import_images.py

Lines 90 to 94 in de150d0

dbConn.insert('''
INSERT INTO {}.image (filename)
VALUES %s;
'''.format(dbSchema),
imgs)

aerial_wildlife_detection/application.py

Lines 69 to 73 in de150d0

isMigrated = dbConnector.execute('''
SELECT COUNT(*) AS cnt
FROM aide_admin.project
WHERE shortname = %s;
''', (dbSchema,), 1)

There are various examples of this in the source code.

commented

Hello,

Thank you very much for raising these issues.
As a matter of fact most of them are in legacy import and export scripts that are more or less replaced with browser functionality.
I nonetheless replaced them in the latest commit on the current development branch ("aide_detectron2"), which is going to become the new master branch accordingly. All other locations should be SQL injection-proof as well.

The only exception is the setup/migrate_aide.py script, which would require too many formatting commands for each project. However, this script is only executed at the launch of AIDE and cannot be accessed from the Web server in any normal way.

FYI: the first two examples pose a risk to SQL injection; the third is the officially recommended way of using the psycopg2 library and involves automatic SQL injection prevention in the library itself (see documentation).