Improve detecting SQL injections in f-strings #917
Merged
Commits on Feb 24, 2023
-
Improve detecting SQL injections in f-strings
This commit fixes detecting SQL injection in statements like: f"SELECT {column_name} FROM foo WHERE id = 1" f"INSERT INTO {table_name} VALUES (1)" f"UPDATE {table_name} SET id = 1" Before this change, the bandit was analyzing statements by parts, especially, in the case of: "SELECT {column_name} FROM foo WHERE id = 1" it was firstly checking "SELECT " for being an SQL statement and then " FROM foo WHERE id = 1". Neither of these parts match to defined regular expressions: r"(select\s.*from\s|" r"delete\s+from\s|" r"insert\s+into\s.*values\s|" r"update\s.*set\s)", Thus SQL injection was not detected. This commit makes bandit checking the whole SQL statement for matching the above regexps. Resolves: PyCQA#916 -
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.