Skip to content

vulnerability to sql injections

The source code is littered with sql injectable direct query concatenation, eg:


		   sql_query_stream << "DELETE FROM property_device WHERE device LIKE \"" << tmp_device \
													 << "\" AND name LIKE \"" << tmp_name << "\"";

can be exploited with:

import tango
device = tango.DeviceProxy("my/dev/ref")
props = {}
props["init_dynamic_attributes\"; CREATE TABLE pwned(id INT); --"] = "oh oh"
device.put_property(props)

IMHO: all string concatenation of sql should be changed to prepared statements with parameter binding instead, eg:

sql::PreparedStatement *pstmt;
pstmt = conn->prepareStatement(
    "DELETE FROM property_device WHERE device LIKE ? AND name LIKE ?"
);
...
Edited by Sebastian Jennen
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information