BUG22529828: Fix potential SQL injection

nmariz · nmariz · commit c026c37f5de1 · 2016-10-04T09:33:16.000+01:00
This patch fixes a potential SQL injection that may occur when
the parameters expansion is done in multiple steps and under
some circumstances a substring in an incoming parameter value
can be expanded several times.
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -3,11 +3,16 @@ MySQL Connector/Python 2.0 - Release Notes & Changes
 ====================================================
 
 MySQL Connector/Python
-Copyright (c) 2009, 2015, Oracle and/or its affiliates. All rights reserved.
+Copyright (c) 2009, 2016, Oracle and/or its affiliates. All rights reserved.
 
 Full release notes:
  http://dev.mysql.com/doc/relnotes/connector-python/en/
 
+
+v2.0.5
+======
+- BUG22529828: Fix potencial SQL injection
+
 v2.0.4
 ======
 
diff --git a/lib/mysql/connector/cursor.py b/lib/mysql/connector/cursor.py
@@ -1,5 +1,5 @@
 # MySQL Connector/Python - MySQL driver written in Python.
-# Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2009, 2016, Oracle and/or its affiliates. All rights reserved.
 
 # MySQL Connector/Python is licensed under the terms of the GPLv2
 # <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>, like most
@@ -29,6 +29,7 @@
 import weakref
 
 from . import errors
+from .catch23 import PY2
 
 SQL_COMMENT = r"\/\*.*?\*\/"
 RE_SQL_COMMENT = re.compile(
@@ -42,6 +43,14 @@
     re.I | re.M | re.S)
 RE_SQL_INSERT_VALUES = re.compile(r'.*VALUES\s*(\(.*\)).*', re.I | re.M | re.S)
 RE_PY_PARAM = re.compile(b'(%s)')
+RE_PY_MAPPING_PARAM = re.compile(
+    br'''
+    %
+    \((?P<mapping_key>[^)]+)\)
+    (?P<conversion_type>[diouxXeEfFgGcrs%])
+    ''',
+    re.X
+)
 RE_SQL_SPLIT_STMTS = re.compile(
     b''';(?=(?:[^"'`]*["'`][^"'`]*["'`])*[^"'`]*$)''')
 RE_SQL_FIND_PARAM = re.compile(
@@ -73,6 +82,35 @@ def remaining(self):
         return len(self.params) - self.index
 
 
+def _bytestr_format_dict(bytestr, value_dict):
+    """
+    >>> _bytestr_format_dict(b'%(a)s', {b'a': b'foobar'})
+    b'foobar
+    >>> _bytestr_format_dict(b'%%(a)s', {b'a': b'foobar'})
+    b'%%(a)s'
+    >>> _bytestr_format_dict(b'%%%(a)s', {b'a': b'foobar'})
+    b'%%foobar'
+    >>> _bytestr_format_dict(b'%(x)s %(y)s',
+    ...                      {b'x': b'x=%(y)s', b'y': b'y=%(x)s'})
+    b'x=%(y)s y=%(x)s'
+    """
+    def replace(matchobj):
+        value = None
+        groups = matchobj.groupdict()
+        if groups["conversion_type"] == b"%":
+            value = b"%"
+        if groups["conversion_type"] == b"s":
+            key = groups["mapping_key"].encode("utf-8") \
+                  if PY2 else groups["mapping_key"]
+            value = value_dict[key]
+        if value is None:
+            raise ValueError("Unsupported conversion_type: {0}"
+                             "".format(groups["conversion_type"]))
+        return value.decode("utf-8") if PY2 else value
+    return RE_PY_MAPPING_PARAM.sub(replace, bytestr.decode("utf-8")
+                                   if PY2 else bytestr)
+
+
 class CursorBase(object):
     """
     Base for defining MySQLCursor. This class is a skeleton and defines
@@ -355,7 +393,10 @@ def _process_params_dict(self, params):
                 conv = to_mysql(conv)
                 conv = escape(conv)
                 conv = quote(conv)
-                res["%({0})s".format(key).encode()] = conv
+                if PY2:
+                    res[key] = conv
+                else:
+                    res[key.encode()] = conv
         except Exception as err:
             raise errors.ProgrammingError(
                 "Failed processing pyformat-parameters; %s" % err)
@@ -488,8 +529,8 @@ def execute(self, operation, params=None, multi=False):
 
         if params is not None:
             if isinstance(params, dict):
-                for key, value in self._process_params_dict(params).items():
-                    stmt = stmt.replace(key, value)
+                stmt = _bytestr_format_dict(
+                    stmt, self._process_params_dict(params))
             elif isinstance(params, (list, tuple)):
                 psub = _ParamSubstitutor(self._process_params(params))
                 stmt = RE_PY_PARAM.sub(psub, stmt)
@@ -543,8 +584,8 @@ def remove_comments(match):
             for params in seq_params:
                 tmp = fmt
                 if isinstance(params, dict):
-                    for key, value in self._process_params_dict(params).items():
-                        tmp = tmp.replace(key, value)
+                    tmp = _bytestr_format_dict(
+                        tmp, self._process_params_dict(params))
                 else:
                     psub = _ParamSubstitutor(self._process_params(params))
                     tmp = RE_PY_PARAM.sub(psub, tmp)
diff --git a/tests/test_cursor.py b/tests/test_cursor.py
@@ -1,4 +1,4 @@
-# Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2009, 2016, Oracle and/or its affiliates. All rights reserved.
 
 # MySQL Connector/Python is licensed under the terms of the GPLv2
 # <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>, like most
@@ -360,6 +360,8 @@ def test__process_params(self):
             datetime.time(20, 3, 23),
             st_now,
             datetime.timedelta(hours=40, minutes=30, seconds=12),
+            'foo %(t)s',
+            'foo %(s)s',
         )
         exp = (
             b'NULL',
@@ -381,6 +383,8 @@ def test__process_params(self):
             b"'" + time.strftime('%Y-%m-%d %H:%M:%S', st_now).encode('ascii')
             + b"'",
             b"'40:30:12'",
+            b"'foo %(t)s'",
+            b"'foo %(s)s'",
         )
 
         self.cnx = connection.MySQLConnection(**tests.get_mysql_config())
@@ -420,28 +424,32 @@ def test__process_params_dict(self):
             'p': datetime.time(20, 3, 23),
             'q': st_now,
             'r': datetime.timedelta(hours=40, minutes=30, seconds=12),
+            's': 'foo %(t)s',
+            't': 'foo %(s)s',
         }
         exp = {
-            b'%(a)s': b'NULL',
-            b'%(b)s': b'128',
-            b'%(c)s': b'1281288',
-            b'%(d)s': repr(float(3.14)) if PY2 else b'3.14',
-            b'%(e)s': b"'3.14'",
-            b'%(f)s': b"'back\\\\slash'",
-            b'%(g)s': b"'newline\\n'",
-            b'%(h)s': b"'return\\r'",
-            b'%(i)s': b"'\\'single\\''",
-            b'%(j)s': b'\'\\"double\\"\'',
-            b'%(k)s': b"'windows\\\x1a'",
-            b'%(l)s': b"'Strings are sexy'",
-            b'%(m)s': b"'\xe8\x8a\xb1'",
-            b'%(n)s': b"'2008-05-07 20:01:23'",
-            b'%(o)s': b"'2008-05-07'",
-            b'%(p)s': b"'20:03:23'",
-            b'%(q)s': b"'" +
+            b'a': b'NULL',
+            b'b': b'128',
+            b'c': b'1281288',
+            b'd': repr(float(3.14)) if PY2 else b'3.14',
+            b'e': b"'3.14'",
+            b'f': b"'back\\\\slash'",
+            b'g': b"'newline\\n'",
+            b'h': b"'return\\r'",
+            b'i': b"'\\'single\\''",
+            b'j': b'\'\\"double\\"\'',
+            b'k': b"'windows\\\x1a'",
+            b'l': b"'Strings are sexy'",
+            b'm': b"'\xe8\x8a\xb1'",
+            b'n': b"'2008-05-07 20:01:23'",
+            b'o': b"'2008-05-07'",
+            b'p': b"'20:03:23'",
+            b'q': b"'" +
             time.strftime('%Y-%m-%d %H:%M:%S', st_now).encode('ascii')
             + b"'",
-            b'%(r)s': b"'40:30:12'",
+            b'r': b"'40:30:12'",
+            b's': b"'foo %(t)s'",
+            b't': b"'foo %(s)s'",
         }
 
         self.cnx = connection.MySQLConnection(**tests.get_mysql_config())
