From 050acf2b98a82ecb707b69fc6ff4bef6f84b4bd8 Mon Sep 17 00:00:00 2001
From: Satoshi Fujii <fujii-satoshi@jp.fujitsu.com>
Date: Wed, 16 Jun 2021 13:41:24 +0000
Subject: Fix SQL security issue

Constructing SQL statement by python % formatting operator is
dangerous. Use psycopg2 placeholder to escape special characters.

Signed-off-by: Satoshi Fujii <fujii-satoshi@jp.fujitsu.com>
Issue-ID: DCAEGEN2-2836
Change-Id: I5ac804bc3e280c3eae14a5e224ca5fc7c7faccb7
---
 miss_htbt_service/config_notif.py | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

(limited to 'miss_htbt_service/config_notif.py')

diff --git a/miss_htbt_service/config_notif.py b/miss_htbt_service/config_notif.py
index cba898d..8da1140 100644
--- a/miss_htbt_service/config_notif.py
+++ b/miss_htbt_service/config_notif.py
@@ -58,8 +58,7 @@ def db_table_creation_check(connection_db, table_name):
     cur = None
     try:
         cur = connection_db.cursor()
-        query_db = "select * from information_schema.tables where table_name='%s'" % (table_name)
-        cur.execute(query_db)
+        cur.execute("SELECT * FROM information_schema.tables WHERE table_name = %s", (table_name,))
         database_names = cur.fetchone()
         if (database_names is not None) and (table_name in database_names):
             print(f"FOUND the table {table_name}")
@@ -148,8 +147,7 @@ def read_hb_common(user_name, password, ip_address, port_num, db_name):
         return hbc_pid, hbc_state, hbc_srcName, hbc_time
     connection_db = postgres_db_open(user_name, password, ip_address, port_num, db_name)
     cur = connection_db.cursor()
-    query_value = "SELECT process_id,source_name,last_accessed_time,current_state FROM hb_common;"
-    cur.execute(query_value)
+    cur.execute("SELECT process_id, source_name, last_accessed_time, current_state FROM hb_common")
     rows = cur.fetchall()
     # TODO: What if rows returned None or empty?
     print("HB_Notif::hb_common contents - %s" % rows)
@@ -171,9 +169,8 @@ def update_hb_common(update_flg, process_id, state, user_name, password, ip_addr
         return True
     connection_db = postgres_db_open(user_name, password, ip_address, port_num, db_name)
     cur = connection_db.cursor()
-    query_value = "UPDATE hb_common SET PROCESS_ID='%d',SOURCE_NAME='%s', LAST_ACCESSED_TIME='%d',CURRENT_STATE='%s'" % (
-    process_id, source_name, current_time, state)
-    cur.execute(query_value)
+    cur.execute("UPDATE hb_common SET LAST_ACCESSED_TIME = %s, CURRENT_STATE = %s WHERE "
+                "PROCESS_ID = %s AND SOURCE_NAME = %s", (current_time, state, process_id, source_name))
     commit_and_close_db(connection_db)
     cur.close()
     return True
-- 
cgit 1.2.3-korg