-
Type:
Bug
-
Status: Resolved
-
Priority:
Minor
-
Resolution: Won't Fix
-
Affects Version/s: 2.2.323
-
Fix Version/s: NoFixVersionApplicable
-
Component/s: Local client
We should use SQLite preparation using the ? character to prevent eventual SQL injections:
% bandit nuxeo-drive-client/nxdrive/engine/dao/sqlite.py
Test results:
>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
Severity: Medium Confidence: Medium
Location: nuxeo-drive-client/nxdrive/engine/dao/sqlite.py:176
175 if migrate:
176 res = c.execute("SELECT value FROM Configuration WHERE name='"+SCHEMA_VERSION+"'").fetchone()
177 if res is None:
# (...)
Run metrics:
Total issues (by severity):
Undefined: 0
Low: 0
Medium: 23
High: 0
