From 383464d61526424c18a540fe3ac30c4c6c17d616 Mon Sep 17 00:00:00 2001 From: tomaioo Date: Tue, 23 Jun 2026 05:08:31 -0700 Subject: [PATCH] fix(graphnet): sql injection via string formatting in sqliteextra The `SQLiteExtractor.__call__` method constructs SQL queries using Python f-strings with direct string interpolation for table names and event lists. While `event_nos` uses `map(str, event_nos)` which converts to strings, the `_extractor_name` is used directly in the query without sanitization. If an attacker can control the extractor name, they could inject malicious SQL. More critically, the `event_list` is joined with commas but not parameterized, and the table name is directly interpolated. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- src/graphnet/data/extractors/internal/sqlite_extractor.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/graphnet/data/extractors/internal/sqlite_extractor.py b/src/graphnet/data/extractors/internal/sqlite_extractor.py index bc9db92d7..5d41df76e 100644 --- a/src/graphnet/data/extractors/internal/sqlite_extractor.py +++ b/src/graphnet/data/extractors/internal/sqlite_extractor.py @@ -35,9 +35,9 @@ def __call__( fileset: Tuple of (sqlite3 connection, list of event numbers). """ conn, event_nos = fileset - event_list = ",".join(map(str, event_nos)) + placeholders = ",".join("?" * len(event_nos)) query = ( f"SELECT * FROM {self._extractor_name} " - f"WHERE event_no IN ({event_list})" + f"WHERE event_no IN ({placeholders})" ) - return pd.read_sql_query(query, conn) + return pd.read_sql_query(query, conn, params=list(event_nos))