Prevent SQL Injection when executing custom SQL #1731
Labels
Milestone
Comments
dodobas
added a commit
to osm-hr/tasking-manager
that referenced
this issue
Jun 28, 2019
dodobas
added a commit
to osm-hr/tasking-manager
that referenced
this issue
Jun 28, 2019
pantierra
pushed a commit
that referenced
this issue
Jul 2, 2019
pantierra
pushed a commit
that referenced
this issue
Jul 2, 2019
ramyaragupathy
pushed a commit
that referenced
this issue
Jul 10, 2019
Change circleci deployment branches Enable RDS Cloudwatch Logging and transactional logs Change ASG Policy to Target Request Count threshold Include into migration a cleanup for task_ids on messages for tasks, which don't exist anymore Scripts to restore deleted projects Update translations Avoid providing standard changeset comment Add required ResourceLabel param to ASG policy Optimize gulp watch to only track files inside our project and not the whole node_modules dir, it uses less CPU this way. Clean up deprecated windows devops script Include additional fields on tests Allow expert validators to classify mapping issues > Note: this includes a new database migration * Show validators in expert mode an additional form allowing them to (optionally) classify the type and number of problems they discover with mapping work that is leading to invalidation of the task * Record identified mapping issues in a `task_mapping_issues` database table * Display noted mapping issues in the task history immediately below the invalidation where they were recorded * Allow mapping issues fixed by the validator on behalf of the mapper to be noted when marking a task as validated * Display in the task history when a task was validated with fixes, and show the identified list of issues addressed by the validator * Add a new page, accessible from the account-nav dropdown menu, on which project managers and admins can manage the available mapping-issue categories * Seed the mapping-issue categories with a couple of initial categories * Add server RESTful API endpoints for managing mapping-issue categories * Add new `mapping_issue_categories` and `task_mapping_issues` database tables in new migration * Add support on server for optional inclusion of noted mapping issues during task validation/invalidation Remove What is New page Correct time calculations in user profile (#1571) Correct time calculations in user profile Add Task Annotations Update migration and fix minor default value issue Mapper-level icons and encouragement messages * Show a trophy icon in the top-nav in a color representing the logged-in user's mapping level (bronze, silver, or gold for beginner, intermediate, or advanced respectively), and also prominently display user's mapping level on their profile page * Show message on home page and profile page encouraging mappers to continue mapping and advance to the next level (or to try validating in the case of advanced mappers) View changesets in OSMCha. Closes #1362 * Add button to task's Advanced section for viewing a task's changesets in OSMCha * Add button for viewing project-wide changesets in OSMCha, visible to users with validator or higher role (expert or higher for projects that don't enforce a validator role) * Add new column to projects for storing an OSMCha filter id that can be optionally used to load a custom OSMCha filter in place of the standard project-wide filters for projects that require a more customized set of filters * A project's OSMCha filter id can be managed from the Metadata section when creating or editing a project Use smaller RDS instances for non production stacks (#1657) * use cheaper rds instances for non production stacks * configurable min/max Show expert users ISO8601 timestamps on hover * Users in expert mode can hover over a timestamp to view it in IS08601 format * Clicking the ISO8601 timestamp copies it to the user's clipboard * Users who are not in expert mode continue to experience existing behavior Transfer project to new owner feature, fixes #1341 Fix tasks annotations and complete with tasks details Add recommended oauth settings in documentation Update contributing-code.md Correct typo in title Add instruction for local development in setup-development.md Adding link to user manual on teachosm.org Add markdown support to task annotations Support Korean Update eslint to 4.18.2 Restructure scripts a bit Review documentation on TM2 migration Modify deployment for new stack Modify rds instance size to m5.xlarge Calculate stats in the database Fixes: #1720 Enforce Random Task Selection * Add optional setting to Enforce Random Task Selection in the project's edit page * If Enforce Random Task Selection is enabled, users will not be able to manually select tasks. They will be required to use the "Select A Random Task" button (does not apply to pm/admins) * Errors appear if they try to select a task from the map Closes #1583 Consolidating the stats on tasks Block read_only user comments on projects Some documentation and sorting of API tags Include validators #1685 + Separate time calcs Restructure the endpoints Remove additional comma Update method type Percentage and Centroid fields Calculate task status percentages on projects in one central function Prevent SQL Injection when executing custom SQL Fixes: #1731 Include automatic trigger for indexing text_searchable Enforces PM or Admin role on the users that will get a transfered project Add script to extract strings for translation Block start mapping and start validating options if email is not set
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When using simple Python string formatting methods input values are not escaped which opens up the possibility of SQL injection attacks. For example: https://github.com/hotosm/tasking-manager/blob/master/server/models/postgis/task.py#L653
SQLAlchemy provides a way to safely pass values to a custom SQL - https://docs.sqlalchemy.org/en/13/core/tutorial.html#using-textual-sql
The text was updated successfully, but these errors were encountered: