Merge pull request #797 from rix1337/dev

v.20.1.1 - Prevent f-String-based SQL-Injection in sqlite db
rix1337 · Jul 13, 2024 · c323ee8 · c323ee8
2 parents 9fbec26 + e5d0917
commit c323ee8
Show file tree

Hide file tree

Showing 6 changed files with 44 additions and 27 deletions.
diff --git a/.gitignore b/.gitignore
@@ -19,6 +19,7 @@ venv
 # FeedCrawler files
 *.conf
 *.db
+*.db-journal
 *.log
 *.crawljob
 *.ini

diff --git a/feedcrawler/jobs/feed_search.py b/feedcrawler/jobs/feed_search.py
@@ -196,6 +196,8 @@ def feed_crawler(shared_state_dict, shared_state_lock):
                     task.periodical_task()
                 except Exception as e:
                     print("Fehler bei der Feed-Suche: " + str(e))
+                    error_trace = traceback.format_exc()
+                    print(error_trace)
                 logger.debug("-----------Suchlauf (" + name + file + ") ausgeführt!-----------")
 
             # Finish feed search and log results

diff --git a/feedcrawler/providers/sqlite_database.py b/feedcrawler/providers/sqlite_database.py
@@ -64,8 +64,8 @@ def __init__(self, table):
             self._conn = sqlite3.connect(shared_state.values["dbfile"], check_same_thread=False, timeout=5)
             self._table = table
             if not self._conn.execute(
-                    f"SELECT sql FROM sqlite_master WHERE type = 'table' AND name = '{self._table}';").fetchall():
-                self._conn.execute(f"CREATE TABLE {self._table} (key, value)")
+                    "SELECT sql FROM sqlite_master WHERE type = 'table' AND name = '%s';" % self._table).fetchall():
+                self._conn.execute("CREATE TABLE %s (key, value)" % self._table)
                 self._conn.commit()
         except sqlite3.OperationalError as e:
             try:
@@ -75,23 +75,25 @@ def __init__(self, table):
                 self._conn = sqlite3.connect(shared_state.values["dbfile"], check_same_thread=False, timeout=10)
                 self._table = table
                 if not self._conn.execute(
-                        f"SELECT sql FROM sqlite_master WHERE type = 'table' AND name = '{self._table}';").fetchall():
-                    self._conn.execute(f"CREATE TABLE {self._table} (key, value)")
+                        "SELECT sql FROM sqlite_master WHERE type = 'table' AND name = '%s';" % self._table).fetchall():
+                    self._conn.execute("CREATE TABLE %s (key, value)" % self._table)
                     self._conn.commit()
                     shared_state.logger.debug("Zugriff auf FeedCrawler.db nach Wartezeit war erfolgreich.")
             except sqlite3.OperationalError as e:
                 print("Fehler bei Zugriff auf FeedCrawler.db: ", str(e))
 
     def count(self):
-        res = self._conn.execute(f"SELECT Count() FROM {self._table}").fetchone()
+        res = self._conn.execute("SELECT Count() FROM %s" % self._table).fetchone()
         return res[0] if res else None
 
     def retrieve(self, key):
-        res = self._conn.execute(f"SELECT value FROM {self._table} WHERE key='{key}'").fetchone()
+        res = self._conn.execute(
+            "SELECT value FROM %s WHERE key='%s'" % (self._table, key)).fetchone()
         return res[0] if res else None
 
     def retrieve_all(self, key):
-        res = self._conn.execute(f"SELECT distinct value FROM {self._table} WHERE key='{key}' ORDER BY value")
+        res = self._conn.execute(
+            "SELECT distinct value FROM %s WHERE key='%s' ORDER BY value" % (self._table, key))
         items = []
         for r in res:
             items.append(str(r[0]))
@@ -106,38 +108,45 @@ def retrieve_all_beginning_with(self, key):
         return items
 
     def retrieve_all_titles(self):
-        res = self._conn.execute(f"SELECT distinct key, value FROM {self._table} ORDER BY key")
+        res = self._conn.execute(
+            "SELECT distinct key, value FROM %s ORDER BY key" % self._table)
         items = []
         for r in res:
             items.append([str(r[0]), str(r[1])])
         return items if items else None
 
     def retrieve_all_titles_unordered(self):
-        res = self._conn.execute(f"SELECT distinct key, value FROM {self._table}")
+        res = self._conn.execute(
+            "SELECT distinct key, value FROM %s" % self._table)
         items = []
         for r in res:
             items.append([str(r[0]), str(r[1])])
         return items if items else None
 
     def store(self, key, value):
-        self._conn.execute(f"INSERT INTO '{self._table}' VALUES ('{key}', '{value}')")
+        self._conn.execute("INSERT INTO '%s' VALUES ('%s', '%s')" %
+                           (self._table, key, value))
         self._conn.commit()
 
     def update_store(self, key, value):
-        self._conn.execute(f"DELETE FROM {self._table} WHERE key='{key}'")
-        self._conn.execute(f"INSERT INTO '{self._table}' VALUES ('{key}', '{value}')")
+        self._conn.execute("DELETE FROM %s WHERE key='%s'" %
+                           (self._table, key))
+        self._conn.execute("INSERT INTO '%s' VALUES ('%s', '%s')" %
+                           (self._table, key, value))
         self._conn.commit()
 
     def delete(self, key):
-        self._conn.execute(f"DELETE FROM {self._table} WHERE key='{key}'")
+        self._conn.execute("DELETE FROM %s WHERE key='%s'" %
+                           (self._table, key))
         self._conn.commit()
 
     def reset(self):
-        self._conn.execute(f"DROP TABLE IF EXISTS {self._table}")
+        self._conn.execute("DROP TABLE IF EXISTS %s" % self._table)
         self._conn.commit()
 
     def rename_table(self, new_name):
-        self._conn.execute(f"ALTER TABLE '{self._table}' RENAME TO '{new_name}'")
+        self._conn.execute("ALTER TABLE '%s' RENAME TO '%s'" %
+                           (self._table, new_name))
         self._conn.commit()
 
 
@@ -146,20 +155,23 @@ def __init__(self, table):
         self._conn = sqlite3.connect(shared_state.values["dbfile"], check_same_thread=False, timeout=10)
         self._table = table
         if not self._conn.execute(
-                f"SELECT sql FROM sqlite_master WHERE type = 'table' AND name = '{self._table}';").fetchall():
-            self._conn.execute(f"CREATE TABLE {self._table} (key)")
+                "SELECT sql FROM sqlite_master WHERE type = 'table' AND name = '%s';" % self._table).fetchall():
+            self._conn.execute(
+                '''CREATE TABLE %s (key)''' % self._table)
             self._conn.commit()
 
     def retrieve(self):
-        res = self._conn.execute(f"SELECT distinct key FROM {self._table} ORDER BY key")
+        res = self._conn.execute(
+            "SELECT distinct key FROM %s ORDER BY key" % self._table)
         items = []
         for r in res:
             items.append(str(r[0]))
         return items if items else None
 
     def store(self, key):
         key = feedcrawler.providers.common_functions.keep_alphanumeric_with_special_characters(key)
-        self._conn.execute(f"INSERT INTO '{self._table}' VALUES ('{key}')")
+        self._conn.execute("INSERT INTO '%s' VALUES ('%s')" %
+                           (self._table, key))
         self._conn.commit()
 
     def store_list(self, keys):
@@ -178,14 +190,16 @@ def store_list(self, keys):
                     k = feedcrawler.providers.common_functions.keep_alphanumeric_with_regex_characters(k)
                     key = key + (k,)
                     items.append(key)
-        self._conn.execute(f"DELETE FROM {self._table}")
-        self._conn.executemany(f"INSERT INTO '{self._table}' (key) VALUES (?)", items)
+        self._conn.execute("DELETE FROM %s" % self._table)
+        self._conn.executemany(
+            "INSERT INTO '%s' (key) VALUES (?)" % self._table, items)
         self._conn.commit()
 
     def delete(self, key):
-        self._conn.execute(f"DELETE FROM {self._table} WHERE key='{key}'")
+        self._conn.execute("DELETE FROM %s WHERE key='%s'" %
+                           (self._table, key))
         self._conn.commit()
 
     def reset(self):
-        self._conn.execute(f"DROP TABLE IF EXISTS {self._table}")
+        self._conn.execute("DROP TABLE IF EXISTS %s" % self._table)
         self._conn.commit()
diff --git a/feedcrawler/providers/version.py b/feedcrawler/providers/version.py
@@ -8,7 +8,7 @@
 
 
 def get_version():
-    return "20.1.0"
+    return "20.1.1"
 
 
 def create_version_file():

diff --git a/feedcrawler/web_interface/vuejs_frontend/package-lock.json b/feedcrawler/web_interface/vuejs_frontend/package-lock.json
diff --git a/feedcrawler/web_interface/vuejs_frontend/package.json b/feedcrawler/web_interface/vuejs_frontend/package.json
@@ -1,6 +1,6 @@
 {
   "name": "feedcrawler-web",
-  "version": "20.1.0",
+  "version": "20.1.1",
   "type": "module",
   "scripts": {
     "dev": "vite",
-Original file line number
+Diff line change
@@ Expand Up / @@ -19,6 +19,7 @@ venv @@
     # FeedCrawler files
     *.conf
     *.db
+    *.db-journal
     *.log
     *.crawljob
     *.ini
@@ Expand Down @@