builq's Introduction

Website

This website is built using Docusaurus 2, a modern static website generator.

Installation

$ yarn

Local Development

$ yarn start

This command starts a local development server and opens up a browser window. Most changes are reflected live without having to restart the server.

Build

$ yarn build

This command generates static content into the build directory and can be served using any static contents hosting service.

Deployment

Using SSH:

$ USE_SSH=true yarn deploy

Not using SSH:

$ GIT_USER=<Your GitHub username> yarn deploy

If you are using GitHub pages for hosting, this command is a convenient way to build the website and push to the gh-pages branch.

builq's People

Contributors

Stargazers

Watchers

builq's Issues

argument.Format: do not panic on unsupported verb

panic(fmt.Sprintf("unsupported verb %c", v))

Instead write the error to fmt.State (the same way the fmt package does it) and return it from Builder.Build

Possible SQL injections?

func TestSQLInjectionPrevention(t *testing.T) {
	db, mock, err := sqlmock.New()
	if err != nil {
		t.Fatalf("An error '%s' was not expected when opening a stub database connection", err)
	}
	defer db.Close()

	tests := []struct {
		name    string
		user    string
		bb      func(user string) *builq.Builder
		prepare func(mock sqlmock.Sqlmock, user string)
	}{
		{
			name: "FmtSprintf Injection",
			user: "'; DROP TABLE users; --",
			bb: func(user string) *builq.Builder {
				return builq.New()("SELECT * FROM users WHERE username = '%s'", user)
			},
			prepare: func(mock sqlmock.Sqlmock, user string) {
				mock.ExpectQuery("SELECT \\* FROM users WHERE username = '.*; DROP TABLE users; --'").
					WillReturnRows(sqlmock.NewRows([]string{"id", "username"}))
			},
		},
		{
			name: "TableName Injection",
			user: "admin",
			bb: func(user string) *builq.Builder {
				tableName := "users; DROP TABLE sensitive_data; --"
				return builq.New()("SELECT * FROM %s WHERE username = '%s'", tableName, user)
			},
			prepare: func(mock sqlmock.Sqlmock, user string) {
				mock.ExpectQuery(".+ DROP TABLE sensitive_data;.+").
					WillReturnRows(sqlmock.NewRows([]string{"id", "username"}))
			},
		},
	}

	for _, tc := range tests {
		t.Run(tc.name, func(t *testing.T) {
			tc.prepare(mock, tc.user)

			query, args, err := tc.bb(tc.user).Build()
			if err != nil {
				t.Fatalf("could not build query: %v", err)
			}

			spew.Dump(query)

			_, err = db.Query(query, args...)
			if err != nil && !errors.Is(err, sql.ErrNoRows) {
				t.Errorf("Unexpected error: %v", err)
			}

			if err := mock.ExpectationsWereMet(); err != nil {
				t.Errorf("There were unfulfilled expectations: %s", err)
			}
		})
	}
}

No mention of sanitization in README

Maybe worth noting in the README:

what kind of sanitizing is done to inputs
If there is sanitization at all (I don't think I was able to find any at a glance)
If the library is safe or not safe, what environment is it envisioned for: maybe only for when the programmer is constructing the queries, not for external inputs

Recommend Projects

cristalhq / builq Goto Github PK

builq's Introduction

Website

Installation

Local Development

Build

Deployment

builq's People

Contributors

Stargazers

Watchers

Forkers

builq's Issues

argument.Format: do not panic on unsupported verb

Possible SQL injections?

No mention of sanitization in README

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent