thevar1able/ClickHouse
1
0
Fork 0
mirror of https://github.com/ClickHouse/ClickHouse.git synced 2024-11-26 17:41:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix SQL injection

Browse Source
This commit is contained in:
Alexey Milovidov 2021-01-15 23:14:51 +03:00
parent 52cfc1d110
commit b1b09ed5ae
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/Databases/PostgreSQL/FetchFromPostgreSQL.cpp
View File

@ -21,6 +21,7 @@ namespace DB
namespace ErrorCodes
{
extern const int UNKNOWN_TABLE;
extern const int BAD_ARGUMENTS;
}
@ -29,6 +30,13 @@ std::shared_ptr<NamesAndTypesList> fetchPostgreSQLTableStructure(
{
auto columns = NamesAndTypesList();
if (postgres_table_name.find('\'') != std::string::npos
|| postgres_table_name.find('\\') != std::string::npos)
{
throw Exception(ErrorCodes::BAD_ARGUMENTS, "PostgreSQL table name cannot contain single quote or backslash characters, passed {}",
postgres_table_name);
}
std::string query = fmt::format(
"SELECT attname AS name, format_type(atttypid, atttypmod) AS type, "
"attnotnull AS not_null, attndims AS dims "
@ -53,7 +61,7 @@ std::shared_ptr<NamesAndTypesList> fetchPostgreSQLTableStructure(
stream.complete();
tx.commit();
}
catch (pqxx::undefined_table const &)
catch (const pqxx::undefined_table &)
{
throw Exception(fmt::format(
"PostgreSQL table {}.{} does not exist",