Potential SQL Injection Vulnerability Found in Function

[juniair]

Describe the bug
While developing a project that uses fosslight binary scanner as a direct Python package, I reviewed the code in the main branch to use fosslight binary scanner as a direct Python package, I found a piece of code that may lead to an SQL injection vulnerability.

In the _binary_dao.py file, within the get_oss_info_by_tlsh_and_filename function (specifically at lines 99, 106, and 126), SQL queries are constructed by directly inserting parameter values (file_name, checksum_value, tlsh_value) using string formatting (format). These queries are then executed directly inside the get_list_by_using_query function.

If malicious values are passed to the get_oss_info_by_tlsh_and_filename function, this could lead to a SQL injection vulnerability.

To Reproduce

1. Import the get_oss_info_by_tlsh_and_filename function from _binary_dao.
2. Call the function with the following inputs:

file_name = "'; DROP TABLE lgematching; --"
checksum_value = "any"
tlsh_value = "any"

Expected behavior
Queries generated by the function should use parameter binding so that the query structure cannot be altered regardless of input values.

Screenshots
N/A

System Environment (please complete the following information):

• OS: Any
• Python version: 3.12
• Etc

Additional context
This vulnerability requires prompt remediation.
If it is determined that this issue does not pose a security risk, please provide an explanation as to why it is considered safe.

[dd-jy]

@juniair
We will fix it into #150

[bjk7119]

@juniair
Thank you for report.