Merge pull request from GHSA-r3jc-3qmm-w3pw

dataflake · web-flow · commit e682b99f8406 · 2024-02-07T14:14:50.000Z
Add missing security declarations on the database adapter class
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -4,6 +4,9 @@ Change log
 2.2 (unreleased)
 ----------------
 
+- Add missing security declarations on the database adapter class
+  to mitigate arbitrary SQL query execution vulnerability.
+
 - Add support for Python 3.12.
 
 
diff --git a/src/Products/SQLAlchemyDA/da.py b/src/Products/SQLAlchemyDA/da.py
@@ -13,6 +13,7 @@
 
 from AccessControl import ClassSecurityInfo
 from AccessControl.class_init import InitializeClass
+from AccessControl.Permissions import change_database_connections
 from AccessControl.Permissions import view_management_screens
 from OFS.PropertyManager import PropertyManager
 from OFS.SimpleItem import SimpleItem
@@ -295,6 +296,7 @@ def engine_options(self):
         engine_options = dict(self.extra_engine_options)
         return engine_options
 
+    @security.protected(change_database_connections)
     def add_extra_engine_options(self, engine_options):
         """ engine_options is a tuple containing additional
             options for sqlalchemy.create_engine.
@@ -346,6 +348,7 @@ def _typesMap(self, proxy):
             self._v_types_map = map
         return self._v_types_map
 
+    @security.private
     def query(self, query_string, max_rows=None, query_data=None):
         """ *The* query() method as used by the internal ZSQL
             machinery.
