Thanks to visit codestin.com
Credit goes to github.com

Skip to content

bug: Fix formatTime escaping #1727

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kavirajk merged 2 commits into from
Dec 6, 2025
Merged

bug: Fix formatTime escaping #1727

kavirajk merged 2 commits into from
Dec 6, 2025
+65 −3

Conversation

@kavirajk
Copy link
Contributor

@kavirajk kavirajk commented Dec 4, 2025

Summary

Currently formatTime do not properly escape the timezone info passed to it. Meaning timezone info can contain malicious SQL.

This PR makes sure it's properly escaped

Fixes: #1713

Checklist

Delete items not relevant to your PR:

  • Unit and integration tests covering the common scenarios were added
  • A human-readable description of the changes was provided to include in CHANGELOG
  • For significant changes, documentation in https://github.com/ClickHouse/clickhouse-docs was updated with further explanations or tutorials

@kavirajk
bug: Fix formatTime escaping
7878795 
Currently formatTime do not properly escape the timezone info passed to
it. Meaning timezone info can contain mallicious SQL.

This PR makes sure it's properlty escaped

Signed-off-by: Kaviraj <[email protected]>
@kavirajk kavirajk requested a review from chernser December 4, 2025 14:15
@kavirajk kavirajk self-assigned this Dec 4, 2025
chernser
chernser reviewed Dec 5, 2025
View reviewed changes
bind.go Outdated
}

// Escape the timezone string (timezone may contain malicious SQL query)
escapedTimezone := stringQuoteReplacer.Replace(value.Location().String())
Copy link

@chernser chernser Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It may be fixes bug but causes sending invalid timezone to server.
We could fix it with https://pkg.go.dev/time#LoadLocation but it might have horrible performance. :-(

Copy link

@chernser chernser Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should not accept invalid timezone and inform application owner about malicious attempt.
the most simple way is to compare length of escaped and unescapted TZ and return error say that TZ contains invalid string and print escaped string.

Copy link
Contributor Author

@kavirajk kavirajk Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch. Not only time.LoadLocation is slow, there also a chance, the timezone location we look up for may not present in the local node that is running (that not necessarily meaning it's invalid).

I think comparing the length approach is decent one. But I'm bit worried it's not full fool proof. Technically there is no limit on the timezone string.

Let me think about it.

Copy link

@chernser chernser Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kavirajk the idea is not to limit string but check if we escaped something.
if UTC or ANY_LONG_TIMEZONE/ON_SOME_FAR_FAR_PLANET is in - then we have nothing to escape and
len(original) == len(escaped).

The main thing here is to catch invalid thing on client side. Most cases it should be fine - but weird names will be blocked and users will create issue if they believe it is a valid timezone.

Copy link
Contributor Author

@kavirajk kavirajk Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make sense. I added the length check and updated the tests accordingly. @chernser

chernser
chernser requested changes Dec 5, 2025
View reviewed changes
Copy link

@chernser chernser left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

need changes. see comments.

@kavirajk
PR remarks
997700e 
Add client-side check on invalid timezone name

Signed-off-by: Kaviraj <[email protected]>
@kavirajk kavirajk merged commit d96c5a9 into main Dec 6, 2025
20 of 21 checks passed
@kavirajk kavirajk mentioned this pull request Dec 6, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chernser chernser chernser approved these changes

Assignees

@kavirajk kavirajk

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Input validation issue on bind method

3 participants

@kavirajk @chernser