Webservice: use SQLite parameter substitution instead of string formatting
Description
Constructing SQL queries with string formatting can lead to them going spectacularly wrong on malformed inputs. This is usually highlighted as a security vulnerability, but it can also cause problems just by accident if unexpected values appear. Using proper parameters is really just an elementary piece of using a database.
How Has This Been Tested?
I've run this on max-exfl017 and requested recalibration of some CALLAB jobs (following instructions from @danilevc :-). It seems to be running OK - Slurm jobs are being launched and the logs don't show errors. I don't know if there's anything more specific I should check.
Types of changes
- Bug fix (non-breaking change which fixes an issue)
Checklist:
- My code follows the code style of this project.
Reviewers
Merge request reports
Activity
added 1 commit
- 31a8a929 - Use CREATE TABLE IF NOT EXISTS SQLite statement
43 43 # https://pypi.org/project/databases/ 44 44 logging.info("Initializing database") 45 45 conn = sqlite3.connect(config['web-service']['job-db']) 46 c = conn.cursor() 47 try: 48 c.execute("SELECT * FROM jobs") 49 except Exception: # TODO: is it sqlite3.OperationalError? 50 logging.info("Creating initial job database") 51 c.execute("CREATE TABLE jobs(rid, jobid, proposal, run, status, time, det, act)") # noqa 46 conn.execute( 47 "CREATE TABLE IF NOT EXISTS " 48 "jobs(rid, jobid, proposal, run, status, time, det, act)" 49 ) -
I also took the chance to use sqlite's 'IF NOT EXISTS' clause, rather than catching an error to check if the table exists in Python. This is documented.
Nice changes you are applying there @kluyvert, LGTM
mentioned in commit 535e1af2
