RRS: Fix raw SQL statements to use parameters

For security reasons it's best practice to use parameters to pass values into SQL statements and not substitute them in as strings (with Django's database API the distinction is subtle, but we pass in the parameters in a second list parameter instead of using % to substitute them before passing the query in). Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
2025-07-19 12:49:01 +02:00 · 2019-01-14 21:54:34 +13:00 · 2019-01-14 21:54:34 +13:00 · 7ab7766ec7
commit 7ab7766ec7
parent a17652256f
1 changed files with 17 additions and 22 deletions
--- a/rrs/views.py
+++ b/rrs/views.py
@ -99,17 +99,16 @@ class Raw():
    def get_ma_by_recipes_and_date(recipes_id, date_id=None):
        """ Get Maintainer based on Recipes and Recipe Upstream History """
        stats = []
        recipes = str(recipes_id).strip('[]')
        if date_id:
            qry = """SELECT rema.recipe_id, ma.name
                    FROM rrs_recipemaintainer AS rema
                    INNER JOIN rrs_maintainer AS ma
-                    ON rema.maintainer_id = ma.id"""
+                    ON rema.maintainer_id = ma.id
-            qry += "\nWHERE rema.history_id = '%s'" % str(date_id)
+                    WHERE rema.history_id = %s
-            qry += "\nAND rema.recipe_id IN (%s);" % recipes
+                    AND rema.recipe_id IN %s;"""
            cur = connection.cursor()
-            cur.execute(qry)
+            cur.execute(qry, [str(date_id), tuple(recipes_id)])
            stats = Raw.dictfetchall(cur)
        return stats
@ -130,13 +129,12 @@ class Raw():
                recipes.append(re["id"])
        if date_id and recipes:
            recipes = str(recipes).strip('[]')
            qry = """SELECT id, status, no_update_reason
-                    FROM rrs_recipeupstream"""
+                    FROM rrs_recipeupstream
-            qry += "\nWHERE history_id = '%s'" % str(date_id.id)
+                    WHERE history_id = %s
-            qry += "\nAND recipe_id IN (%s);" % recipes
+                    AND recipe_id IN %s;"""
            cur = connection.cursor()
-            cur.execute(qry)
+            cur.execute(qry, [str(date_id.id), tuple(recipes)])
            for re in Raw.dictfetchall(cur):
                if re["status"] == "Y":
@ -155,15 +153,14 @@ class Raw():
    def get_reup_by_recipes_and_date(recipes_id, date_id=None):
        """ Get Recipe Upstream based on Recipes and Recipe Upstream History """
        stats = []
        recipes = str(recipes_id).strip('[]')
        if date_id:
            qry = """SELECT recipe_id, status, no_update_reason, version
-                    FROM rrs_recipeupstream"""
+                    FROM rrs_recipeupstream
-            qry += "\nWHERE history_id = '%s'" % str(date_id)
+                    WHERE history_id = %s
-            qry += "\nAND recipe_id IN (%s);" % recipes
+                    AND recipe_id IN %s;"""
            cur = connection.cursor()
-            cur.execute(qry)
+            cur.execute(qry, [str(date_id), tuple(recipes_id)])
            stats = Raw.dictfetchall(cur)
        return stats
@ -215,15 +212,13 @@ class Raw():
    @staticmethod
    def get_reupg_by_dates_and_recipes(start_date, end_date, recipes_id):
        """  Get Recipe Upgrade for the milestone based on Recipes """
        recipes = str(recipes_id).strip('[]')
        cur = connection.cursor()
        qry = """SELECT DISTINCT recipe_id
-                FROM rrs_recipeupgrade"""
+                FROM rrs_recipeupgrade
-        qry += "\nWHERE commit_date >= '%s'" % str(start_date)
+                WHERE commit_date >= %s
-        qry += "\nAND commit_date <= '%s'" % str(end_date)
+                AND commit_date <= %s
-        qry += "\nAND recipe_id IN (%s);" % recipes
+                AND recipe_id IN %s;"""
-        cur.execute(qry)
+        cur.execute(qry, [start_date, end_date, tuple(recipes_id)])
        return Raw.dictfetchall(cur)
    @staticmethod