-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix/sql queries backmerge #107
base: develop
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @zklim
Some pointers on the fix/sql-queries-backmerge
- The below files still have the SQL vulnerability
src-tauri/src/services/local_storage/tokens.rs
src-tauri/src/services/local_storage/encrypted_data.rs
src-tauri/src/services/local_storage/storage_api/events.rs
src-tauri/src/services/local_storage/storage_api/records.rs
src-tauri/src/services/local_storage/storage_api/transaction.rs
- Basically. any file that uses String formatting with
format!(<SQL_QUERY>{}, <VARIABLE>)
, Should be changed to passing through arguments as Zack did - Do a search for
format!
, and change it to the fix done by Zack usingexecute_query_params()
fn for the above mentioned files - All SQL commands SHOULD NOT HAVE
format!(<..>)
in them, it should be likelet query = "<SQL QUERY WITH ?1, ?2>";
and call theexecute_query_params(query , <PARAMS>);
fn.
Not sure if I have to modify code for case like: let query = format!(
"SELECT balance_ciphertext, nonce FROM ARC20_tokens WHERE token_name='{}' ",
token_name
);
let res = storage.get_all::<String>(&query, 2)?; as |
Back merge latest develop branch at Jun 21st and did app testing.