Last active
July 29, 2021 21:47
-
-
Save moylop260/74b19122d386de0f320816b19dc577d9 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from odoo import models | |
| class TestSQLInjection(models.Model): | |
| _name = 'test.sql.injection' | |
| def get_params(self): | |
| pass | |
| def _get_params(self): | |
| pass | |
| def test_sql_injection(self, param, _param2): | |
| _variable = "hola" | |
| self.env.cr.execute("SELECT * FROM %s" % param) | |
| self.env.cr.execute("SELECT * FROM " + param) | |
| self.env.cr.execute("SELECT * FROM %s" % (param,)) | |
| self.env.cr.execute("SELECT * FROM %s" % [param]) | |
| self.env.cr.execute("SELECT * FROM %s" % _param2) | |
| self.env.cr.execute("SELECT * FROM " + _param2) | |
| self.env.cr.execute("SELECT * FROM %s" % (_param2,)) | |
| self.env.cr.execute("SELECT * FROM %s" % self.table) | |
| self.env.cr.execute("SELECT * FROM " + self.table) | |
| self.env.cr.execute("SELECT * FROM %s WHERE id=%s" % (param, self.table)) | |
| self.env.cr.execute("SELECT * FROM %s" % (self.table,)) | |
| self.env.cr.execute("SELECT * FROM %s" % _variable) | |
| self.env.cr.execute("SELECT * FROM " + _variable) | |
| self.env.cr.execute("SELECT * FROM %s" % (_variable,)) | |
| for record in self: | |
| self.env.cr.execute("SELECT * FROM %s" % record.variable) | |
| self.env.cr.execute("SELECT * FROM %s" % (record.variable,)) | |
| self.env.cr.execute("SELECT * FROM %s" % self.get_params()) | |
| self.env.cr.execute("SELECT * FROM %s" % (self.get_params(),)) | |
| self.env.cr.execute("SELECT %s FROM table WHERE %s" % (self._table, where)) | |
| self.env.cr.execute("SELECT %s FROM table WHERE %s" % (self._table, ''.join(where_list))) | |
| self.env.cr.execute("SELECT %s FROM table WHERE %s" % (self.table, param)) | |
| def test_sql_injection_ignored(self): | |
| self.env.cr.execute("SELECT * FROM %s" % self._table) | |
| self.env.cr.execute("SELECT * FROM " + self._table) | |
| self.env.cr.execute("SELECT * FROM %s" % (self._table,)) | |
| self.env.cr.execute("SELECT * FROM %s" % [self._table]) | |
| for record in self: | |
| self.env.cr.execute("SELECT * FROM %s" % record._variable) | |
| self.env.cr.execute("SELECT * FROM " + record._variable) | |
| self.env.cr.execute("SELECT * FROM %s" % (record._variable,)) | |
| self.env.cr.execute("SELECT * FROM %s" % [record._variable]) | |
| self.env.cr.execute("SELECT * FROM %s" % self._get_params()) | |
| self.env.cr.execute("SELECT * FROM %s" + self._get_params()) | |
| self.env.cr.execute("SELECT * FROM %s" % (self._get_params(),)) | |
| self.env.cr.execute("SELECT * FROM %s" % [self._get_params()]) | |
| # It could be sql-injection but it is ignored because there are 2 params maybe it is controlled | |
| self.env.cr.execute("SELECT %s FROM table WHERE %s" % (self.table), (param,)) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ PYTHONPATH=$PYTHONPATH:~/odoo-13.0/odoo/addons/test_lint/tests python -m pylint --load-plugins=_odoo_checker_sql_injection -d all -e sql-injection --msg-template="{path}:{line}: [{msg_id}({symbol}), {obj}] | |
| {msg}" /home/odoo/odoo-13.0/odoo/addons/test_lint/tests/model_sql_injection.py | |
| No config file found, using default configuration | |
| ************* Module odoo.addons.test_lint.tests.model_sql_injection | |
| odoo-13.0/odoo/addons/test_lint/tests/model_sql_injection.py:16: [E8501(sql-injection), TestSQLInjection.test_sql_injection] | |
| Possible SQL injection risk. | |
| odoo-13.0/odoo/addons/test_lint/tests/model_sql_injection.py:17: [E8501(sql-injection), TestSQLInjection.test_sql_injection] | |
| Possible SQL injection risk. | |
| odoo-13.0/odoo/addons/test_lint/tests/model_sql_injection.py:18: [E8501(sql-injection), TestSQLInjection.test_sql_injection] | |
| Possible SQL injection risk. | |
| odoo-13.0/odoo/addons/test_lint/tests/model_sql_injection.py:19: [E8501(sql-injection), TestSQLInjection.test_sql_injection] | |
| Possible SQL injection risk. | |
| odoo-13.0/odoo/addons/test_lint/tests/model_sql_injection.py:20: [E8501(sql-injection), TestSQLInjection.test_sql_injection] | |
| Possible SQL injection risk. | |
| odoo-13.0/odoo/addons/test_lint/tests/model_sql_injection.py:21: [E8501(sql-injection), TestSQLInjection.test_sql_injection] | |
| Possible SQL injection risk. | |
| odoo-13.0/odoo/addons/test_lint/tests/model_sql_injection.py:22: [E8501(sql-injection), TestSQLInjection.test_sql_injection] | |
| Possible SQL injection risk. | |
| odoo-13.0/odoo/addons/test_lint/tests/model_sql_injection.py:23: [E8501(sql-injection), TestSQLInjection.test_sql_injection] | |
| Possible SQL injection risk. | |
| odoo-13.0/odoo/addons/test_lint/tests/model_sql_injection.py:24: [E8501(sql-injection), TestSQLInjection.test_sql_injection] | |
| Possible SQL injection risk. | |
| odoo-13.0/odoo/addons/test_lint/tests/model_sql_injection.py:25: [E8501(sql-injection), TestSQLInjection.test_sql_injection] | |
| Possible SQL injection risk. | |
| odoo-13.0/odoo/addons/test_lint/tests/model_sql_injection.py:26: [E8501(sql-injection), TestSQLInjection.test_sql_injection] | |
| Possible SQL injection risk. | |
| odoo-13.0/odoo/addons/test_lint/tests/model_sql_injection.py:27: [E8501(sql-injection), TestSQLInjection.test_sql_injection] | |
| Possible SQL injection risk. | |
| odoo-13.0/odoo/addons/test_lint/tests/model_sql_injection.py:28: [E8501(sql-injection), TestSQLInjection.test_sql_injection] | |
| Possible SQL injection risk. | |
| odoo-13.0/odoo/addons/test_lint/tests/model_sql_injection.py:29: [E8501(sql-injection), TestSQLInjection.test_sql_injection] | |
| Possible SQL injection risk. | |
| odoo-13.0/odoo/addons/test_lint/tests/model_sql_injection.py:31: [E8501(sql-injection), TestSQLInjection.test_sql_injection] | |
| Possible SQL injection risk. | |
| odoo-13.0/odoo/addons/test_lint/tests/model_sql_injection.py:32: [E8501(sql-injection), TestSQLInjection.test_sql_injection] | |
| Possible SQL injection risk. | |
| odoo-13.0/odoo/addons/test_lint/tests/model_sql_injection.py:33: [E8501(sql-injection), TestSQLInjection.test_sql_injection] | |
| Possible SQL injection risk. | |
| odoo-13.0/odoo/addons/test_lint/tests/model_sql_injection.py:34: [E8501(sql-injection), TestSQLInjection.test_sql_injection] | |
| Possible SQL injection risk. | |
| odoo-13.0/odoo/addons/test_lint/tests/model_sql_injection.py:35: [E8501(sql-injection), TestSQLInjection.test_sql_injection] | |
| Possible SQL injection risk. | |
| odoo-13.0/odoo/addons/test_lint/tests/model_sql_injection.py:36: [E8501(sql-injection), TestSQLInjection.test_sql_injection] | |
| Possible SQL injection risk. | |
| odoo-13.0/odoo/addons/test_lint/tests/model_sql_injection.py:37: [E8501(sql-injection), TestSQLInjection.test_sql_injection] | |
| Possible SQL injection risk. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment