Skip to content

Escape dict keys to prevent SQL injection (CVE-2025-65896) #141

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
chredeur wants to merge 1 commit into
base: dev
Choose a base branch
from
+32 −4
Open

Escape dict keys to prevent SQL injection (CVE-2025-65896) #141

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion asyncmy/converters.pyx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ cpdef dict escape_dict(dict val, str charset, mapping: dict = None):
n = {}
for k, v in val.items():
quoted = escape_item(v, charset, mapping)
n[k] = quoted
n[escape_string(str(k))] = quoted
return n

cpdef str escape_sequence(tuple val, str charset, mapping: dict = None):
Expand Down
4 changes: 2 additions & 2 deletions conftest.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ async def connection():
await conn.ensure_closed()


@pytest_asyncio.fixture(scope="session", autouse=True)
@pytest_asyncio.fixture(scope="session", autouse=False)
async def initialize_tests(connection):
async with connection.cursor(cursor=DictCursor) as cursor:
await cursor.execute("create database if not exists test")
Expand All @@ -56,7 +56,7 @@ async def initialize_tests(connection):
)


@pytest_asyncio.fixture(scope="function", autouse=True)
@pytest_asyncio.fixture(scope="function", autouse=False)
async def truncate_table(connection):
async with connection.cursor(cursor=DictCursor) as cursor:
await cursor.execute("truncate table test.asyncmy")
Expand Down
30 changes: 29 additions & 1 deletion tests/test_converters.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
import datetime

from asyncmy.converters import convert_datetime, escape_item, escape_str
from asyncmy.converters import convert_datetime, escape_dict, escape_item, escape_str


class CustomDate(datetime.date):
Expand Down Expand Up @@ -28,3 +28,31 @@ def test_convert_datetime():

# invalid datetime should be returned as str
assert convert_datetime("0000-00-00 00:00:00") == "0000-00-00 00:00:00"


def test_escape_dict_keys():
"""Test that dict keys are properly escaped (CVE-2025-65896).

This test ensures that SQL injection via dict keys is prevented.
Previously, only dict values were escaped, allowing attackers to
inject arbitrary SQL via crafted dict keys.
"""
# Test that keys with SQL injection characters are escaped
malicious_key = "foo'; DROP TABLE users; --"
result = escape_dict({malicious_key: "bar"}, "utf-8")
# The key should be escaped, not contain raw SQL injection
assert malicious_key not in result
assert "foo\\'; DROP TABLE users; --" in result

# Test escaping of various dangerous characters in keys
result = escape_dict({"key'with\"quotes": "value"}, "utf-8")
assert "key\\'with\\\"quotes" in result

# Test backslash escaping in keys
result = escape_dict({"key\\with\\backslash": "value"}, "utf-8")
assert "key\\\\with\\\\backslash" in result

# Test normal dict still works
result = escape_dict({"name": "test", "id": 123}, "utf-8")
assert result["name"] == "'test'"
assert result["id"] == "123"