[ABW]: fixed SQL calls - formatting through strings can lead to SQL injection vulnerability

removed unneeded check (does not match scheme and the same is checked just below anyway)

[ABW]: fixed SQL calls - formatting through strings can lead to SQL injection vulnerability
87b418ed · Andrzej Lisak · cda1a819 · 87b418ed · 87b418ed
Commit 87b418ed authored 4 years ago by Andrzej Lisak
--- a/hive/server/condenser_api/cursor.py
+++ b/hive/server/condenser_api/cursor.py
@@ -28,11 +28,9 @@ async def get_reblogged_by(db, author: str, permlink: str):
        names.remove(author)
    return names

-async def get_data(db, sql:str, truncate_body: int = 0):
-    result = await db.query_all(sql); 
-
+async def process_posts(db, sql_result, truncate_body: int = 0):
    posts = []
-    for row in result:
+    for row in sql_result:
        row = dict(row)
        post = _condenser_post_object(row, truncate_body=truncate_body)

@@ -43,20 +41,24 @@ async def get_data(db, sql:str, truncate_body: int = 0):

 async def get_by_blog_without_reblog(db, account: str, start_permlink: str = '', limit: int = 20, truncate_body: int = 0):
  """Get a list of posts for an author's blog without reblogs."""
-  sql = " SELECT * FROM condenser_get_by_blog_without_reblog( '{}', '{}', {} ) ".format( account, start_permlink, limit )
-  return await get_data(db, sql, truncate_body )
+  sql = "SELECT * FROM condenser_get_by_blog_without_reblog( (:author)::VARCHAR, (:permlink)::VARCHAR, :limit )"
+  result = await db.query_all(sql, author=account, permlink=start_permlink, limit=limit);
+  return await process_posts(db, result, truncate_body)

 async def get_by_account_comments(db, account: str, start_permlink: str = '', limit: int = 20, truncate_body: int = 0):
  """Get a list of posts representing comments by an author."""
-  sql = " SELECT * FROM condenser_get_by_account_comments( '{}', '{}', {} ) ".format( account, start_permlink, limit )
-  return await get_data(db, sql, truncate_body )
+  sql = "SELECT * FROM condenser_get_by_account_comments( (:author)::VARCHAR, (:permlink)::VARCHAR, :limit )"
+  result = await db.query_all(sql, author=account, permlink=start_permlink, limit=limit);
+  return await process_posts(db, result, truncate_body)

 async def get_by_replies_to_account(db, start_author: str, start_permlink: str = '', limit: int = 20, truncate_body: int = 0):
  """Get a list of posts representing replies to an author."""
-  sql = " SELECT * FROM condenser_get_by_replies_to_account( '{}', '{}', {} ) ".format( start_author, start_permlink, limit )
-  return await get_data(db, sql, truncate_body )
+  sql = "SELECT * FROM condenser_get_by_replies_to_account( (:author)::VARCHAR, (:permlink)::VARCHAR, :limit )"
+  result = await db.query_all(sql, author=start_author, permlink=start_permlink, limit=limit);
+  return await process_posts(db, result, truncate_body)

 async def get_by_blog(db, account: str = '', start_author: str = '', start_permlink: str = '', limit: int = 20):
  """Get a list of posts for an author's blog."""
-  sql = " SELECT * FROM condenser_get_by_blog( '{}', '{}', '{}', {} ) ".format( account, start_author, start_permlink, limit )
-  return await get_data(db, sql )
+  sql = "SELECT * FROM condenser_get_by_blog( (:account)::VARCHAR, (:author)::VARCHAR, (:permlink)::VARCHAR, :limit )"
+  result = await db.query_all(sql, account=account, author=start_author, permlink=start_permlink, limit=limit);
+  return await process_posts(db, result)
--- a/hive/server/condenser_api/methods.py
+++ b/hive/server/condenser_api/methods.py
@@ -378,8 +378,11 @@ async def get_discussions_by_comments(context, start_author: str = None, start_p
 async def get_replies_by_last_update(context, start_author: str = None, start_permlink: str = '',
                                     limit: int = 20, truncate_body: int = 0):
    """Get all replies made to any of author's posts."""
-    assert start_author, '`start_author` cannot be blank'
-
+    # note that in this call start_author has dual meaning:
+    # - when there is only start_author it means account that authored posts that we seek replies to
+    # - when there is also start_permlink it points to one of replies (last post of previous page) and
+    #   we'll be getting account like above in form of author of parent post to the post pointed by
+    #   given start_author+start_permlink
    return await cursor.get_by_replies_to_account(
        context['db'],
        valid_account(start_author),