paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-10-23 04:52:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

process_fts_update: Fix S608 Possible SQL injection vector.

Browse Source 
Although this code was not actually vulnerable as written, we never
want to be disabling this Ruff rule, in order to discourage later
introduction of vulnerabilities.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
This commit is contained in:
Anders Kaseorg
2025-06-29 00:34:14 -04:00
committed by Tim Abbott
parent 98e65b220a
commit d64ab7abf7
1 changed files with 15 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
puppet/zulip/files/postgresql/process_fts_updates
View File

@@ -45,6 +45,7 @@ from collections.abc import Sequence
import psycopg2
import psycopg2.extensions
from psycopg2.sql import SQL
BATCH_SIZE = 1000
@@ -79,16 +80,22 @@ def update_fts_columns(conn: psycopg2.extensions.connection) -> int:
if message_ids:
if USING_PGROONGA:
update_sql = "search_pgroonga = escape_html(subject) || ' ' || rendered_content"
update_sql = SQL(
"search_pgroonga = escape_html(subject) || ' ' || rendered_content"
)
else:
update_sql = "search_tsvector = to_tsvector('zulip.english_us_search', subject || rendered_content)"
update_sql = SQL(
"search_tsvector = to_tsvector('zulip.english_us_search', subject || rendered_content)"
)
cursor.execute(
f"UPDATE zerver_message SET {update_sql} " # noqa: S608
"WHERE ctid IN ("
" SELECT ctid FROM zerver_message"
" WHERE id IN %s"
" ORDER BY id FOR UPDATE"
")",
SQL(
"UPDATE zerver_message SET {update_sql} "
"WHERE ctid IN ("
" SELECT ctid FROM zerver_message"
" WHERE id IN %s"
" ORDER BY id FOR UPDATE"
")"
).format(update_sql=update_sql),
(message_ids,),
)
if row_ids: