Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix/sql queries backmerge #107

Open
wants to merge 3 commits into
base: develop
Choose a base branch
from
Open

Fix/sql queries backmerge #107

wants to merge 3 commits into from

Conversation

zklim
Copy link
Contributor

@zklim zklim commented Jun 25, 2024

Back merge latest develop branch at Jun 21st and did app testing.

@zklim zklim deployed to 107/merge June 25, 2024 07:32 — with GitHub Actions Active
@dev-blc dev-blc self-requested a review June 25, 2024 08:10
Copy link
Member

@dev-blc dev-blc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @zklim
Some pointers on the fix/sql-queries-backmerge

  • The below files still have the SQL vulnerability
    • src-tauri/src/services/local_storage/tokens.rs
    • src-tauri/src/services/local_storage/encrypted_data.rs
    • src-tauri/src/services/local_storage/storage_api/events.rs
    • src-tauri/src/services/local_storage/storage_api/records.rs
    • src-tauri/src/services/local_storage/storage_api/transaction.rs
  • Basically. any file that uses String formatting with format!(<SQL_QUERY>{}, <VARIABLE>) , Should be changed to passing through arguments as Zack did
  • Do a search for format! , and change it to the fix done by Zack using execute_query_params() fn for the above mentioned files
  • All SQL commands SHOULD NOT HAVE format!(<..>) in them, it should be like let query = "<SQL QUERY WITH ?1, ?2>"; and call the execute_query_params(query , <PARAMS>); fn.

@zklim
Copy link
Contributor Author

zklim commented Jun 26, 2024

Hey @zklim Some pointers on the fix/sql-queries-backmerge

  • The below files still have the SQL vulnerability

    • src-tauri/src/services/local_storage/tokens.rs
    • src-tauri/src/services/local_storage/encrypted_data.rs
    • src-tauri/src/services/local_storage/storage_api/events.rs
    • src-tauri/src/services/local_storage/storage_api/records.rs
    • src-tauri/src/services/local_storage/storage_api/transaction.rs
  • Basically. any file that uses String formatting with format!(<SQL_QUERY>{}, <VARIABLE>) , Should be changed to passing through arguments as Zack did

  • Do a search for format! , and change it to the fix done by Zack using execute_query_params() fn for the above mentioned files

  • All SQL commands SHOULD NOT HAVE format!(<..>) in them, it should be like let query = "<SQL QUERY WITH ?1, ?2>"; and call the execute_query_params(query , <PARAMS>); fn.

Not sure if I have to modify code for case like:

let query = format!(
        "SELECT balance_ciphertext, nonce FROM ARC20_tokens WHERE token_name='{}' ",
        token_name
    );
    let res = storage.get_all::<String>(&query, 2)?;

as storage.get_all() don't take parameter as execute_query_params(query , <PARAMS>); does

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants