◐ Shell
clean mode source ↗

Reject SQL queries containing null characters by ever0de · Pull Request #5981 · RustPython/RustPython

youknowone

Walkthrough

A validation step was added to the Statement::new function in the SQLite module, ensuring that SQL statement strings containing null ('\0') characters are detected and rejected with a ProgrammingError. This check is performed after UTF-8 conversion and before further processing.

Changes

File(s) Change Summary
stdlib/src/sqlite.rs Added a check in Statement::new to reject SQL strings with null chars.

Sequence Diagram(s)

sequenceDiagram
    participant Caller
    participant Statement
    participant Error

    Caller->>Statement: new(sql_string)
    Statement->>Statement: Convert sql_string to UTF-8
    Statement->>Statement: Check for null ('\0') character
    alt Null character found
        Statement->>Error: Return ProgrammingError("statement contains a null character")
    else No null character
        Statement->>Statement: Proceed to C string conversion and statement preparation
    end
    Statement-->>Caller: Return result (Statement or Error)
Loading

Possibly related PRs

Suggested reviewers

  • youknowone

Poem

In the land of code where queries dwell,
A sneaky null char tried to cast its spell.
But now, with a check both sharp and bright,
No phantom bytes escape our sight!
🐇✨
Bugs beware—your tricks won't fare!

📜 Recent review details

Configuration used: .coderabbit.yml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a54873d and 062278e.

⛔ Files ignored due to path filters (1)
  • Lib/test/test_sqlite3/test_regression.py is excluded by !Lib/**
📒 Files selected for processing (1)
  • stdlib/src/sqlite.rs (1 hunks)
🧰 Additional context used
📓 Path-based instructions (1)
**/*.rs

Instructions used from:

Sources:
📄 CodeRabbit Inference Engine

  • .github/copilot-instructions.md
🔇 Additional comments (1)
stdlib/src/sqlite.rs (1)

2298-2303: LGTM! Excellent security improvement that aligns with CPython behavior.

This validation correctly prevents SQL injection vulnerabilities that could arise from embedded null characters truncating SQL statements when converted to C strings. The check is well-positioned after UTF-8 conversion and before C string conversion, providing early failure with an appropriate ProgrammingError.

✨ Finishing Touches
  • 📝 Generate Docstrings

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Explain this complex logic.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai explain this code block.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and explain its main purpose.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR.
  • @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.