[#MDEV-26952] detect RTL-LTR abuse in SQL statements

[MDEV-26952] detect RTL-LTR abuse in SQL statements Created: 2021-11-01 Updated: 2021-11-01
Status:	Open
Project:	MariaDB Server
Component/s:	None
Fix Version/s:	None

Type:

Task

Priority:

Minor

Reporter:

Sergei Golubchik

Assignee:

Unassigned

Resolution:

Unresolved

Votes:

Labels:

None

Description

one can create an string that switches between LTR and RTL, generating a misleading SQL statement that will be interpreted differently by a text viewer (like a browser) and a database engine. For example,

select 'א' , 100 ; -- ; 'א' actually

While not really a bug, we can still prevent some cases exploiting this. There can be no valid use (as far as I understand) for an RTL text happening outside of string literals, comments and, perhaps, identifiers. A parser can detect that and abort the query as invalid.

In the example above, a switch to RTL happens inside the string literal, but then it crosses the literal boundary, the statement boundary, the comment boundary, and switches back to LTR inside the comment. This violates the rule as described above.

Comments

Comment by Sergei Golubchik [ 2021-11-01 ]

Basically, it's not even in the parser, it's in the lexer. A lexer reads a token. Before and after the token it must be LTR. Inside a token it can switch as much as it wants

Generated at Thu Feb 08 09:49:12 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-26952] detect RTL-LTR abuse in SQL statements Created: 2021-11-01 Updated: 2021-11-01