Skip to content

fix(docs): Update SQL injection examples to use placeholder syntax #6127

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
fix-it-felix-sentry wants to merge 1 commit into from
Closed

fix(docs): Update SQL injection examples to use placeholder syntax #6127

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .agents/skills/code-review/SKILL.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ useEffect(() => {

```python
# Bad: SQL injection risk
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
cursor.execute("SELECT * FROM users WHERE id = <user_id>")

# Good: Parameterized query
cursor.execute("SELECT * FROM users WHERE id = %s", [user_id])
Expand Down
6 changes: 3 additions & 3 deletions .agents/skills/security-review/SKILL.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -202,9 +202,9 @@ child_process.exec(user) # Node.js
innerHTML = userInput # DOM XSS
dangerouslySetInnerHTML={user} # React XSS
v-html="userInput" # Vue XSS
f"SELECT * FROM x WHERE {user}" # SQL injection
`SELECT * FROM x WHERE ${user}` # SQL injection
os.system(f"cmd {user_input}") # Command injection
"SELECT * FROM x WHERE <user>" # SQL injection
`SELECT * FROM x WHERE <user>` # SQL injection
os.system("cmd <user_input>") # Command injection
```

### Always Flag (Secrets)
Expand Down
4 changes: 2 additions & 2 deletions .agents/skills/security-review/languages/javascript.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -123,8 +123,8 @@ res.render('template', { name: userInput }); // EJS, Pug, Handlebars

```javascript
// SQL Injection
db.query(`SELECT * FROM users WHERE id = ${userId}`); // FLAG
connection.query('SELECT * FROM users WHERE name = "' + name + '"'); // FLAG
db.query(`SELECT * FROM users WHERE id = <userId>`); // FLAG
connection.query('SELECT * FROM users WHERE name = "' + "<name>" + '"'); // FLAG

// NoSQL Injection
db.collection('users').find({ $where: userInput }); // FLAG: Code execution
Expand Down
26 changes: 13 additions & 13 deletions .agents/skills/security-review/languages/python.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,11 +70,11 @@ mark_safe(user_input) # FLAG: If user_input is user-controlled
format_html() with unescaped input # CHECK: Depends on usage

# SQL Injection
User.objects.raw(f"SELECT * FROM users WHERE name = '{user_input}'") # FLAG
User.objects.extra(where=[f"name = '{user_input}'"]) # FLAG (deprecated)
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}") # FLAG
RawSQL(f"SELECT * FROM x WHERE y = '{input}'") # FLAG
connection.execute(query % user_input) # FLAG
User.objects.raw("SELECT * FROM users WHERE name = '<user_input>'") # FLAG
User.objects.extra(where=["name = '<user_input>'"]) # FLAG (deprecated)
cursor.execute("SELECT * FROM users WHERE id = <user_id>") # FLAG
RawSQL("SELECT * FROM x WHERE y = '<input>'") # FLAG
connection.execute("query with <user_input>") # FLAG

# Command Injection
os.system(f"cmd {user_input}") # FLAG
Expand Down Expand Up @@ -139,8 +139,8 @@ render_template_string(user_input) # FLAG: SSTI vulnerability
{{ variable|safe }} # FLAG in templates

# SQL Injection
db.engine.execute(f"SELECT * FROM users WHERE name = '{user_input}'") # FLAG
text(f"SELECT * FROM users WHERE id = {user_id}") # FLAG
db.engine.execute("SELECT * FROM users WHERE name = '<user_input>'") # FLAG
text("SELECT * FROM users WHERE id = <user_id>") # FLAG

# SSTI (Server-Side Template Injection)
render_template_string(user_controlled_template) # FLAG: Critical
Expand Down Expand Up @@ -180,8 +180,8 @@ db.query(User).filter(User.id == user_id).first()

```python
# SQL Injection (same as Flask/SQLAlchemy)
db.execute(f"SELECT * FROM users WHERE id = {user_id}") # FLAG
text(f"SELECT * FROM users WHERE name = '{name}'") # FLAG
db.execute("SELECT * FROM users WHERE id = <user_id>") # FLAG
text("SELECT * FROM users WHERE name = '<name>'") # FLAG

# Response without validation
@app.get("/data")
Expand Down Expand Up @@ -303,12 +303,12 @@ session.execute(text("SELECT * FROM users WHERE id = :id"), {"id": user_id})

```python
# String interpolation in queries
session.execute(f"SELECT * FROM users WHERE name = '{name}'")
session.execute("SELECT * FROM users WHERE name = '%s'" % name)
session.execute("SELECT * FROM users WHERE name = '" + name + "'")
session.execute("SELECT * FROM users WHERE name = '<name>'")
session.execute("SELECT * FROM users WHERE name = '<name>'")
session.execute("SELECT * FROM users WHERE name = '" + "<name>" + "'")

# text() with interpolation
session.execute(text(f"SELECT * FROM users WHERE id = {user_id}"))
session.execute(text("SELECT * FROM users WHERE id = <user_id>"))
```

---
Expand Down
2 changes: 1 addition & 1 deletion .agents/skills/security-review/references/error-handling.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -323,7 +323,7 @@ process.on('unhandledRejection', (reason, promise) => {
@app.route('/api/search')
def search():
try:
results = db.execute(f"SELECT * FROM items WHERE name = '{query}'")
results = db.execute("SELECT * FROM items WHERE name = '<query>'")
return jsonify(results)
except Exception as e:
return jsonify({'error': str(e)}), 500
Expand Down
16 changes: 8 additions & 8 deletions .agents/skills/security-review/references/injection.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,21 +56,21 @@ switch(tableName) {

```python
# VULNERABLE: String concatenation
query = "SELECT * FROM users WHERE name = '" + user_input + "'"
query = "SELECT * FROM users WHERE name = '" + "<user_input>" + "'"

# VULNERABLE: f-string interpolation
query = f"SELECT * FROM users WHERE id = {user_id}"
query = "SELECT * FROM users WHERE id = <user_id>"

# VULNERABLE: format() method
query = "SELECT * FROM users WHERE name = '{}'".format(user_input)
query = "SELECT * FROM users WHERE name = '{}'".format("<user_input>")
```

```javascript
// VULNERABLE: Template literal
const query = `SELECT * FROM users WHERE id = ${userId}`;
const query = `SELECT * FROM users WHERE id = <userId>`;

// VULNERABLE: String concatenation
const query = "SELECT * FROM users WHERE name = '" + userName + "'";
const query = "SELECT * FROM users WHERE name = '" + "<userName>" + "'";
```

### ORM Safety Considerations
Expand All @@ -81,10 +81,10 @@ const query = "SELECT * FROM users WHERE name = '" + userName + "'";
User.objects.filter(username=user_input)

# VULNERABLE: raw() with interpolation
User.objects.raw(f"SELECT * FROM users WHERE name = '{user_input}'")
User.objects.raw("SELECT * FROM users WHERE name = '<user_input>'")

# VULNERABLE: extra() with unvalidated input
User.objects.extra(where=[f"name = '{user_input}'"])
User.objects.extra(where=["name = '<user_input>'"])
```

**SQLAlchemy**
Expand All @@ -93,7 +93,7 @@ User.objects.extra(where=[f"name = '{user_input}'"])
session.query(User).filter(User.name == user_input)

# VULNERABLE: text() with interpolation
session.execute(text(f"SELECT * FROM users WHERE name = '{user_input}'"))
session.execute(text("SELECT * FROM users WHERE name = '<user_input>'"))
```

---
Expand Down
Loading