Sanitize operators

[obi1kenobi]

On March 28th 2015, I discovered and reported five SQL injection vulnerabilities to the owners of this repository. In private discussion, we decided to settle the problem via this pull request that will be merged as quickly as possible, to minimize the possible security impact.

Here is the summary of the five vulnerabilities:

• The LIKE operator argument isn't sanitized.

> graph.query(Region).filter(Region.name.like("United States' or 'a'='a")).all()
SELECT statement: SELECT FROM Region WHERE name like 'United States' or 'a'='a'

• The BETWEEN operator's first input isn't quoted (for strings) or sanitized

> graph.query(Region).filter(Region.name.between('United States" or "a"="a', 'zzzz" or "a"="a')).all()
SELECT statement: SELECT FROM Region WHERE name BETWEEN United States" or "a"="a and "zzzz\" or \"a\"=\"a"

• The MATCHES argument isn't sanitized.

> graph.query(Region).filter(Region.name.matches("United States' OR 'a'='a")).all()
SELECT statement: SELECT FROM Region WHERE name matches 'United States' OR 'a'='a'

• The STARTSWITH argument isn't sanitized.

> graph.query(Region).filter(Region.name.startswith("United States' OR 'a%'='a")).all 
SELECT statement: SELECT FROM Region WHERE name like 'United States' OR 'a%'='a%'

• The ENDSWITH argument isn't sanitized.

> graph.query(Region).filter(Region.name.endswith("United States' OR 'a'='a")).all 
SELECT statement: SELECT FROM Region WHERE name like '%United States' OR 'a'='a'

This pull request addresses all these issues.

[coveralls]

Coverage decreased (-0.02%) to 79.706% when pulling 333b257 on kensho:sanitize_operators into cf9345e on mogui:develop.