Update sql_injection_login.py#7
Update sql_injection_login.py#7bandarisantosh wants to merge 3 commits intobandarisantosh-patch-1from
Conversation
![private-semgrep-app[bot]](https://avatars.githubusercontent.com/in/948798?s=60&v=4){kind=small}
| flask.render_template_string(username) | ||
|
|
||
| sql = f"SELECT * FROM users WHERE username='{username}' AND password='{password_hash}'" | ||
| flask.render_template_string(username) |
There was a problem hiding this comment.
Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks.
Ignore this finding from render-template-string.There was a problem hiding this comment.
Semgrep Assistant suggests the following fix: Use Flask's render_template with an HTML template instead of render_template_string.
View step-by-step instructions
- Replace the
flask.render_template_string(username)call with a safer method to handle the username. If you need to display the username, use therender_templatefunction with a proper HTML template. - Create a new HTML template file, for example
username_display.html, and include a placeholder for the username:<div>{{ username }}</div>. - Replace the
flask.render_template_string(username)line withreturn render_template('username_display.html', username=username). - Ensure that the
username_display.htmlfile is stored in the appropriate templates directory for Flask to find it.
This code change should be a good starting point:
| flask.render_template_string(username) | |
| return render_template('username_display.html', username=username) |
Leave feedback with a 👍 / 👎. Save a memory with /remember <your custom instructions>.
| sql = f"SELECT * FROM users WHERE username='{username}' AND password='{password_hash}'" | ||
| flask.render_template_string(username) | ||
|
|
||
| sql = f"SELECT * FROM users WHERE username='{username}' AND password='{password_hash}'" |
There was a problem hiding this comment.
Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using the Django object-relational mappers (ORM) instead of raw SQL queries.
View Dataflow Graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>vulns/sql_injection/sql_injection_login.py</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/bandarisantosh/bad-python-app/blob/b12195a4461a6800b290d02cde200b9c17fbd99b/vulns/sql_injection/sql_injection_login.py#L14 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 14] request.form</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/bandarisantosh/bad-python-app/blob/b12195a4461a6800b290d02cde200b9c17fbd99b/vulns/sql_injection/sql_injection_login.py#L14 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 14] form</a>"]
v3["<a href=https://github.com/bandarisantosh/bad-python-app/blob/b12195a4461a6800b290d02cde200b9c17fbd99b/vulns/sql_injection/sql_injection_login.py#L16 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 16] username</a>"]
end
v2 --> v3
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/bandarisantosh/bad-python-app/blob/b12195a4461a6800b290d02cde200b9c17fbd99b/vulns/sql_injection/sql_injection_login.py#L23 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 23] f"SELECT * FROM users WHERE username='{username}' AND password='{password_hash}'"</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
There was a problem hiding this comment.
Semgrep Assistant suggests the following fix: Use parameterized queries instead of format strings to prevent SQL injection.
View step-by-step instructions
- Replace the format string with a parameterized query. Remove the
fprefix from the string and replace the dynamic values with placeholders. For example, change the SQL string to:sql = "SELECT * FROM users WHERE username=%s AND password=%s". - Pass the dynamic values as a tuple in the second argument of the
execute_readmethod. For example, update the call to:db_result = app.db_helper.execute_read(sql, (username, password_hash)).
This change uses parameterized queries, which help prevent SQL injection by separating SQL code from data.
This code change should be a good starting point:
| sql = f"SELECT * FROM users WHERE username='{username}' AND password='{password_hash}'" | |
| sql = "SELECT * FROM users WHERE username=%s AND password=%s" | |
| db_result = app.db_helper.execute_read(sql, (username, password_hash)) |
Leave feedback with a 👍 / 👎. Save a memory with /remember <your custom instructions>.
Update sql_injection_login.py
1 participant
No description provided.