SQL injection

[frafra]

aerial_wildlife_detection/projectCreation/import_images.py

Lines 80 to 82 in de150d0

	imgs_existing = dbConn.execute('''
	SELECT filename FROM {}.image;
	'''.format(dbSchema), None, 'all')

aerial_wildlife_detection/projectCreation/import_images.py

Lines 90 to 94 in de150d0

	dbConn.insert('''
	INSERT INTO {}.image (filename)
	VALUES %s;
	'''.format(dbSchema),
	imgs)

aerial_wildlife_detection/application.py

Lines 69 to 73 in de150d0

	isMigrated = dbConnector.execute('''
	SELECT COUNT(*) AS cnt
	FROM aide_admin.project
	WHERE shortname = %s;
	''', (dbSchema,), 1)

There are various examples of this in the source code.

[bkellenb]

Hello,

Thank you very much for raising these issues.
As a matter of fact most of them are in legacy import and export scripts that are more or less replaced with browser functionality.
I nonetheless replaced them in the latest commit on the current development branch ("aide_detectron2"), which is going to become the new master branch accordingly. All other locations should be SQL injection-proof as well.

The only exception is the setup/migrate_aide.py script, which would require too many formatting commands for each project. However, this script is only executed at the launch of AIDE and cannot be accessed from the Web server in any normal way.

FYI: the first two examples pose a risk to SQL injection; the third is the officially recommended way of using the psycopg2 library and involves automatic SQL injection prevention in the library itself (see documentation).