1

Im using input from the user to query snowflake within DRF view, how to prevent in the below code sql injection possibility?

entity_id = kwargs['pk']
table = session.table("my_table").filter(col(ID_COL)==entity_id )
Improve this question
5
  • Can't you use 'path/<int:pk>'? Commented May 26, 2024 at 11:33
  • Why do you think there is even an injection risk here? Commented May 26, 2024 at 11:38
  • The id is a string, not an integer. @Tim Biegeleisen, I tried to find out something explicit in the documetnation but didnt find. Commented May 26, 2024 at 12:52
  • @LiorA Most likely, your builder code is internally being backed by a prepared statement, so injection is not a real concern. Commented May 26, 2024 at 13:04
  • The builder in the snowpark API you meant?. but nothing explicit is mentioned, so we one cant be sure its protecting against injection.. maybe I missing something? Commented May 28, 2024 at 10:13

1 Answer 1

Reset to default
1

The good news is that the user input should be already filtered if you are using filter().

Testing with Snowpark:

import snowflake.snowpark as snowpark
from snowflake.snowpark.functions import col

def main(session: snowpark.Session): 
    # Your code goes here, inside the "main" handler.
    tableName = 'information_schema.packages'
    dataframe = session.table(tableName).filter(col("language") == "';drop table bobby_tables")

    # Print a sample of the dataframe to standard output.
    dataframe.show()

    # Return value will appear in the Results tab.
    return dataframe

If you go check the Snowflake logs, you'll find that Snowflake ran the following query, with the quote escaped:

SELECT  *  
FROM information_schema.packages 
WHERE ("LANGUAGE" = ''';drop table bobby_tables')
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks, really think they should write something about it in the snowflake documentation.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.