Raw SQL used in swift/swift/common/db.py could be escaped

For Swift:

The calls listed are used specifically to make code reusable, and the variables are only set within the code, and are not derived from user input, and thus are not at risk for injection.

That said, I'm also not against reporting it as a bug, and having them properly escaped in swift, but it shouldn't be reported as a vulnerability for swift.

Awesome, thanks Chuck for the analysis.

I'll mark Swift task as Invalid as far as the "vulnerability" is concerned... If they all turn out to be code improvements I'll just reopen the task and use this bug to track further fixes... otherwise if this bug turns out covering a real vulnerability I'll create a separate (wishlist) bug report for Swift to track this.

Adding Alessandro and Boris so that they can look into Nova hyper-v and sqlalchemy cases.
Are those raw SQL statements operating on user-controllable input ?

On the Nova Hyper-V side, those are not SQL instructions. It's WQL, a pseudo-SQL language used by WMI, very limited in comparison with SQL.

Although those instructions are not exploitable, sanitizing the input for WQL is generally a good idea.

Adding also Pedro for the Volumeutils bits.

I saw this code in nova/virt/hyperv/hostutils.py:

        logical_disk = self._conn_cimv2.query("SELECT Size, FreeSpace "
                                              "FROM win32_logicaldisk "
                                              "WHERE DeviceID='%s'"
                                              % drive)[0]

It doesn't look like safe=)

1) That's not SQL, It's WQL, a WMI specific language. There'n no database involved and there's no DML or DDL.

2) That method is used only by hostops.py:

drive = os.path.splitdrive(self._pathutils.get_instances_dir())[0]
        (size, free_space) = self._hostutils.get_volume_info(drive)

https://github.com/openstack/nova/blob/master/nova/virt/hyperv/hostops.py#L80

Now, please tell me how you want to exploit it :-)

Ok in this current situation it is imposible to exploit it,

but without such context, this method is unsafe. I agree that with WQL you are not able to execute any Alter or Drop sql request. But you are able to run something like delete * from win32_logicaldisk =)

No. As I wrote in a previous comment, there's no DML or DDL. The only SQL analog verb supported by WQL is "SELECT".

For your convenience here's a list of the WQL keywords:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa394606(v=vs.85).aspx

Generally speaking, as I wrote before, I agree in putting input sanitization checks as a rule of thumb when we use WQL, although there are no real exploit concerns. Its SQL-like syntax, unfamiliar to those which are not involved in Windows development, can understandably generate discussions such as this one. :-)

Note: WQL does not support parameters, so we have create an ad hoc method to manually escape the WQL string quotes.

ok =)

@Boris: could you comment on the exploitability of:

nova/nova/db/sqlalchemy/utils.py:64: return "INSERT INTO %s %s" % (
nova/nova/db/sqlalchemy/migrate_repo/versions/152_change_type_of_deleted_column.py:40: return "INSERT INTO %s %s"

Ok I wrote that part of code, it is really imposible to make anything bad with this part of code.

sqlalchemy/utils.py are utils that are used only in db migrations.
DB migrations are runed only by host administrators with root access to host + root access to db.

So if you are able to run this code, you are able to make something like:
ssh root@my_control_host
mysql -u...
> drop database nova

=)

Also there is no user/administrator input at all (input parameters for this functions are hardcoded in db migrations)

That's what I thought... but better safe than sorry.

@ Kurt:

Given that none of those occurences are actually exploitable, I think it makes sense to open this bug report and treat it as a wishlist strengthening improvement to get rid of the SQL calls where they could be replaced by library calls, if any.

Let me know if you object to opening this bug report.

@ Kurt, @Thierry

Just to be clear,
I would prefer to avoid any changes in db migrations scripts and db migration utils

@Thierry

On the WMI side (Hyper-V) the pseudo SQL syntax is simply the way in which the APIs are designed to be used.

Turning into Wishlist bug as suggested by Chuck on comment 2