Is it safe to use untrusted keywords in HoneySQL maps? #368
-
|
Is it safe to use untrusted keywords in HoneySQL maps? For example, is the following code vulnerable to SQL injection? (sql/format {:select [(keyword (read-string-from-untrusted-user))]
:from :whatever}) |
Beta Was this translation helpful? Give feedback.
Answered by
seancorfield
Oct 5, 2021
Replies: 1 comment 1 reply
-
|
HoneySQL makes an attempt to prevent injection via such code but you probably shouldn't rely on just that for security: dev=> (sql/format {:select [(keyword "1; drop table users; select *")] :from :whatever})
Execution error (ExceptionInfo) at honey.sql/format-entity (sql.cljc:237).
suspicious character found in entity: 1; drop table users; select *Currently, it only detects |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
Thanks! |
Beta Was this translation helpful? Give feedback.
Answer selected by
olavfosse
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
HoneySQL makes an attempt to prevent injection via such code but you probably shouldn't rely on just that for security:
Currently, it only detects
;and disallows SQL entities that contain that character.