Sanitize and blob values

Author: BrandonRoehl

dump.go

@@ -77,8 +77,7 @@ INSERT INTO {{ .Name }} VALUES {{ .Values }};
 UNLOCK TABLES;
 `
 
-const footerTmpl = `
-/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;
+const footerTmpl = `/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;
 
 /*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
 /*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
@@ -282,7 +281,9 @@ func createTableValues(db *sql.DB, name string) (string, error) {
 	types := make([]reflect.Type, len(tt))
 	for i, tp := range tt {
 		st := tp.ScanType()
-		if st == nil || st.Kind() == reflect.Slice {
+		if tp.DatabaseTypeName() == "BLOB" {
+			types[i] = reflect.TypeOf(sql.RawBytes{})
+		} else if st == nil || st.Kind() == reflect.Slice {
 			types[i] = reflect.TypeOf(sql.NullString{})
 		} else if st.Kind() == reflect.Int ||
 			st.Kind() == reflect.Int8 ||
@@ -311,7 +312,7 @@ func createTableValues(db *sql.DB, name string) (string, error) {
 				dataStrings[key] = "null"
 			} else if s, ok := value.(*sql.NullString); ok {
 				if s.Valid {
-					dataStrings[key] = "'" + strings.Replace(s.String, "\n", "\\n", -1) + "'"
+					dataStrings[key] = "'" + sanitize(s.String) + "'"
 				} else {
 					dataStrings[key] = "NULL"
 				}
@@ -321,6 +322,12 @@ func createTableValues(db *sql.DB, name string) (string, error) {
 				} else {
 					dataStrings[key] = "NULL"
 				}
+			} else if s, ok := value.(*sql.RawBytes); ok {
+				if len(*s) == 0 {
+					dataStrings[key] = "NULL"
+				} else {
+					dataStrings[key] = "_binary '" + sanitize(string(*s)) + "'"
+				}
 			} else {
 				dataStrings[key] = fmt.Sprint("'", value, "'")
 			}

dump_test.go

@@ -325,7 +325,6 @@ LOCK TABLES \Test_Table\ WRITE;
 INSERT INTO \Test_Table\ VALUES ('1',null,'Test Name 1'),('2','[email protected]','Test Name 2');
 /*!40000 ALTER TABLE \Test_Table\ ENABLE KEYS */;
 UNLOCK TABLES;
-
 /*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;
 
 /*!40101 SET SQL_MODE=@OLD_SQL_MODE */;

sanitize.go

@@ -0,0 +1,31 @@
+package mysqldump
+
+import "strings"
+
+var lazyMySQLReplacer *strings.Replacer
+
+func mysqlReplacer() *strings.Replacer {
+	if lazyMySQLReplacer == nil {
+		lazyMySQLReplacer = strings.NewReplacer(
+			"\x00", "\\0",
+			"'", "\\'",
+			"\"", "\\\"",
+			"\b", "\\b",
+			"\n", "\\n",
+			"\r", "\\r",
+			// "\t", "\\t",
+			"\x1A", "\\Z", // ASCII 26 == x1A
+			"\\", "\\\\",
+			"%", "\\%",
+			// "_", "\\_",
+		)
+	}
+	return lazyMySQLReplacer
+}
+
+// MySQL sanitizes mysql based on
+// https://dev.mysql.com/doc/refman/8.0/en/string-literals.html table 9.1
+// needs to be placed in either a single or a double quoted string
+func sanitize(input string) string {
+	return mysqlReplacer().Replace(input)
+}

sanitize_test.go

@@ -0,0 +1,25 @@
+package mysqldump
+
+import (
+	"fmt"
+	"testing"
+)
+
+func TestForSQLInjection(t *testing.T) {
+	examples := [][]string{
+		/** Query ** Input ** Expected **/
+		{"SELECT * WHERE field = '%s';", "test", "SELECT * WHERE field = 'test';"},
+		{"'%s'", "'; DROP TABLES `test`;", "'\\'; DROP TABLES `test`;'"},
+		{"'%s'", "'+(SELECT name FROM users LIMIT 1)+'", "'\\'+(SELECT name FROM users LIMIT 1)+\\''"},
+		{"SELECT '%s'", "\x00x633A5C626F6F742E696E69", "SELECT '\\0x633A5C626F6F742E696E69'"},
+		{"WHERE PASSWORD('%s')", "') OR 1=1--", "WHERE PASSWORD('\\') OR 1=1--')"},
+	}
+	var query string
+	for _, example := range examples {
+		query = fmt.Sprintf(example[0], sanitize(example[1]))
+
+		if example[2] != query {
+			t.Fatalf("expected %#v, got %#v", example[2], query)
+		}
+	}
+}