Clojurians Log v2

Clojure programming
Channels
# 100-days-of-code# aatree# admin-announcements# adventofcode# ai# alda# aleph# all-the-channels# announcements# arachne# architecture# asami# atlanta-clojurians# atom-editor# autochrome-github# avi# aws# aws-lambda# babashka# babashka-sci-dev# bangalore-clj# beginners# berlin# biff# bigdata# bitcoin# boot# boot-dev# boulder-clojurians# braid-chat# braveandtrue# brevis# bristol-clojurians# business# calva# capetown# carry# cbus# cestmeetup# chestnut# chlorine-clover# cider# circleci# clara# clj-commons# cljdoc# cljfx# clj-http# clj-kondo# clj-on-windows# cljs-dev# cljs-experience# cljsfiddle# cljsjs# cljsrn# cljtogether# clojars# clojure# clojure-android# clojure-argentina# clojure-art# clojure-austin# clojure-australia# clojure-austria# clojure-bangladesh# clojure-bay-area# clojure-beijing# clojure-belgium# clojure-berlin# clojure-boston# clojure-brasil# clojurebridge# clojurebridge-ams# clojure-canada# clojure-chennai# clojure-chicago# clojure-china# clojure-colombia# clojure-conj# clojurecup# clojure-czech# clojured# clojure-denmark# clojure-denver# clojure-derby# clojuredesign-podcast# clojure-dev# clojure-dusseldorf# clojure-ecuador# clojure-egypt# clojure-estonia# clojure-europe# clojure-filipino# clojure-finland# clojure-france# clojure-gamedev# clojure-germany# clojure-greece# clojure-guangzhou# clojure-hamburg# clojure-hk# clojure-houston# clojure-hungary# clojure-india# clojureindia# clojure-indonesia# clojure-ireland# clojure-israel# clojure-italy# clojure-japan# clojure-kc# clojure-korea# clojure-losangeles# clojure-madison# clojure-mexico# clojure-miami# clojure-mk# clojure-mke# clojure-morsels# clojure-my# clojure-new-zealand# clojure-nl# clojure-nlp# clojure-norway# clojure-poland# clojure-portugal# clojure-provo# clojure-quebec# clojureremote# clojure-romania# clojure-russia# clojure-sanfrancisco# clojurescript# clojurescript-ios# clojure-sdn# clojure-seattle# clojure-serbia# clojure-sg# clojure-shanghai# clojure-spain# clojure-spec# clojuresque# clojure-survey# clojure-sweden# clojure-switzerland# clojure-taiwan# clojure-turkiye# clojure-uk# clojure-ukraine# clojureverse-ops# clojurewerkz# clojurewest# clojurex# clojure-za# clojurian-chat-app# clojutre# cloverage# cloxp# clr# code-art# code-reviews# community-development# component# conf-proposals# conjure# consulting# contributions-welcome# copenhagen-clojurians# core-async# core-logic# core-matrix# core-typed# cryogen# crypto# css# cursive# cz-clojure# d2q# datacrypt# datahike# datalevin# datalog# data-oriented-programming# data-science# datascript# datavis# dato# datomic# defnpodcast# deps-new# depstar# devcards# devops# dirac# docker# docs# domino-clj# duct# dunaj# eastwood# editors# emacs# error-message-catalog# etaoin# ethereum# euroclojure# events# exercism# expound# figwheel# figwheel-main# flambo# fulcro# funcool# functionalprogramming# funimage# garden# ghostwheel# girouette# gis# google-cloud# gorilla# graalvm# graalvm-mobile# graclj# graphql# gratitude# gsoc# hammock-driven-dev# helix# heroku# hispano# holy-lambda# honeysql# hoplon# hugsql# humor# hypercrud# hyperfiddle# immutant# improve-getting-started# incanter# indycljs# inf-clojure# instaparse# integrant# interceptors# interop# introduce-yourself# iot# iotivity# ipfs# jackdaw# jaunt# java# javascript# javelin# jobs# jobs-discuss# jobs-rus# joker# jukebox# juxt# jvm# kaocha# keechma# kekkonen# keyboards# klipse# kosmos# lambdaisland# ldnclj# ldnproclodo# lein-figwheel# leiningen# liberator# liquid# livestream# local-first-clojure# london-clojurians# lsp# luminus# lumo# mail# malli# mathematics# meander# melbourne# membrane# mental-health# microservices# mid-cities-meetup# midje# minecraft# minimallist# missionary# monads# mount# music# new-channels# new-clojure# nextjournal# nginx# nrepl# numerical-computing# nyc# observability# off-topic# om# om-next# onyx# other-languages# other-lisps# overtone# pamela# parinfer# pathom# pedestal# perun# philosophy# phzr# planck# plastic# play-clj# podcasts# polylith# portal# portkey# portland-or# powderkeg# practicalli# precept# prelude# programming-beginners# project-updates# proletarian# proton# protorepl# pulsar# pure-frame# qa# qlkit# quil# random# rdf# react# reactive# reading-clojure# reagent# reclojure# re-frame# reitit# releases# remote-jobs# respo# rethinkdb# reveal# rewrite-clj# ring# ring-swagger# robots# rum# schema# sci# sfcljs# shadow-cljs# _silence# sim-testing# sioux-falls# slack-help# sneer# sneer-br# spacemacs# specmonstah# specter# speculative# spirituality-ethics# sql# startup-in-a-month# sydney# test200# test-check# testing# thejaloniki# timbre# tmp-json-parsing# tools-build# tools-deps# trading# tree-sitter# uncomplicate# unrepl# untangled# utah-clojurians# videos# vim# vrac# vscode# wasm# web-security# windows# xtdb# yada# yleinen
Apps

sql

All things SQL and JDBC...
zilti 2020-12-17T12:03:39.492600Z

I ran into an error today. The query is as follows: 

["WITH distinct_location AS(
  SELECT MIN(city.city_id) AS city_id, location::TEXT as location_str FROM choicelist.city
   WHERE city.name ~ ?
   GROUP BY location::TEXT
)
SELECT * FROM choicelist.city AS city
 INNER JOIN distinct_location USING (city_id)
 ORDER BY city.city_id;" "EU Only)"]
Which gives this very concerning error message: org.postgresql.util.PSQLException: ERROR: invalid regular expression: parentheses () not balanced This sounds an awful lot like sql injection...

synthomat 2020-12-17T12:08:52.493600Z

indeed, the input somehow leaked into the SQL query; what library is it?

zilti 2020-12-17T12:11:30.494300Z

It's generated by HugSQL

zilti 2020-12-17T12:12:40.495300Z

And the query indeed works fine as long as the parameter doesn't have unbalanced parentheses

zilti 2020-12-17T12:15:55.495700Z

So, the chain is HugSQL -> jdbc.next -> PostgreSQL JDBC

synthomat 2020-12-17T12:18:23.495900Z

have you looked into this? https://www.hugsql.org/#faq-sql-injection

zilti 2020-12-17T12:22:33.496400Z

Yes, and according to that, value parameters get deferred "to the underlying database library to perform SQL parameter binding to prevent SQL injection issues" which would be jdbc.next in this case

curtis.summers 2020-12-17T12:30:41.497400Z

In order to debug this, can you provide the original HugSQL query and the call to the generated HugSQL function?

zilti 2020-12-17T12:33:29.498400Z

Sure, the original HugSQL query is: 

-- :name get-city-by-name :? :1
WITH distinct_location AS(
  SELECT MIN(city.city_id) AS city_id, location::TEXT as location_str FROM choicelist.city
   WHERE city.name ~ :name
   GROUP BY location::TEXT
)
SELECT * FROM choicelist.city AS city
 INNER JOIN distinct_location USING (city_id)
 ORDER BY city.city_id;
And the call: (get-city-by-name db {:name "EU Only)"})

zilti 2020-12-17T12:34:29.499Z

(or, for the sake of getting that intermediate output, (get-city-by-name-sqlvec {:name "EU Only)"}) )

curtis.summers 2020-12-17T12:38:40.499900Z

So, the error is in the regular expression syntax expected by Postgresql. invalid regular expression: parentheses () not balanced

zilti 2020-12-17T12:39:36.000300Z

Ok, so no injection going on then

zilti 2020-12-17T12:39:41.000600Z

That's a relief

curtis.summers 2020-12-17T12:39:44.000700Z

correct

zilti 2020-12-17T12:40:18.001500Z

I would've been very surprised by the way, this would be such a basic thing, pretty sure this is exactly what the parametrized queries are for in the first place

zilti 2020-12-17T12:40:54.002200Z

Now to find out why PostgreSQL wants to treat it as a regex... The database field type is CITEXT, a case-insensitive text field

zilti 2020-12-17T12:41:53.002500Z

Ah lol, of course, because of the ~ operator

zilti 2020-12-17T12:42:14.002800Z

Alright, thank you very much for helping me figure things out!

curtis.summers 2020-12-17T12:43:40.003Z

you’re welcome!