[Dbix-class] set_column with references - possible SQL injection

[Heinz Ekker]

Hi!

Sorry, too, for the delay in repsonse....

> On 11 Feb 2018, at 16:49 , Peter Rabbitson <rabbit+dbic at rabbit.us> wrote:
> 
> Yes, this is a legitimate problem, thank you for finding and reporting it! ( although in the future please consider contacting an author directly in private when a potential vulnerability has been identified - doing so publicly is somewhat suboptimal )

I know, I was not sure how to report or ask about this. In this case I didn't see it like a bug/security problem in DBIx::Class itself - it's a) me passing on arbitrary data structures from users without checking and b) SQL::Abstract doing unexpected things. I thought if I had been aware I'd have taken more care, and that way more people would be aware, too. But I'll report things like that privately in the future. 

> 
> A solid fix for all of the above ( and potentially similar issues ) would be to augment the already-existing injection guard [2] to explicitly look for
> 
> qr/ \b (?: SELECT | UPDATE | DELETE | INSERT ) \b /ix

Great, thanks!

> I suspect this should go into the default set shipped with SQL::Abstract [3] , but have not yet done any testing / analysis of how much impact this would have.
> 
> As a first step I'd recommend you contact the mojolicious people with this workaround, as they currently seem to be the primary driver behind SQLA things.

Will do, at the moment work's not leaving me much time (as you might've guessed from my response time), but there's some light on the horizon.

Ciao,
Heinz