classification
Title: sqlite3.Connection(...) bypasses 'sqlite3.connect' audit hooks
Type: security Stage: resolved
Components: Library (Lib) Versions: Python 3.10, Python 3.9, Python 3.8
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: berker.peksag, erlendaasland, miss-islington, steve.dower
Priority: normal Keywords: patch

Created on 2021-03-08 12:53 by erlendaasland, last changed 2021-05-02 22:56 by steve.dower. This issue is now closed.

Files
File name Uploaded Description Edit
audit.py erlendaasland, 2021-03-08 12:53
patch.diff erlendaasland, 2021-03-08 12:54
Pull Requests
URL Status Linked Edit
PR 25818 merged erlendaasland, 2021-05-02 16:04
PR 25822 merged erlendaasland, 2021-05-02 21:43
PR 25823 merged erlendaasland, 2021-05-02 21:46
PR 25825 merged erlendaasland, 2021-05-02 22:19
PR 25826 closed miss-islington, 2021-05-02 22:43
Messages (13)
msg388264 - (view) Author: Erlend E. Aasland (erlendaasland) * (Python triager) Date: 2021-03-08 12:53
The module level connect method is guarded by PySys_Audit(), but sqlite3.Connection.__init__() is not. It is possible to bypass the module level connect() method simply by creating a new sqlite3.Connection object directly.

Easily fixed by either moving the PySys_Audit() check to pysqlite_connection_init(), or by adding an extra check in pysqlite_connection_init().


>>> import sqlite3, sys
>>> def hook(s, e):
...     if s == 'sqlite3.connect':
...             raise PermissionError
... 
>>> sys.addaudithook(hook)
>>> sqlite3.connect(':memory:')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "<stdin>", line 3, in hook
PermissionError
>>> sqlite3.Connection(':memory:')
<sqlite3.Connection object at 0x7f94b0157a80>
msg392393 - (view) Author: Erlend E. Aasland (erlendaasland) * (Python triager) Date: 2021-04-30 08:47
Steve, is it worth it to improve this?
msg392702 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-05-02 14:39
Yes, let's move it into the init function.
msg392709 - (view) Author: Erlend E. Aasland (erlendaasland) * (Python triager) Date: 2021-05-02 16:17
The PR accidentally fixes a bug in GH-25246 (bpo-43762):
The object passed to PySys_Audit() is now the connection object, not the module object.
msg392724 - (view) Author: Erlend E. Aasland (erlendaasland) * (Python triager) Date: 2021-05-02 20:26
Steve, can we get this in before beta1 (bco. the bugfix)?
msg392735 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-05-02 21:25
New changeset c96cc089f60d2bf7e003c27413c3239ee9de2990 by Erlend Egeberg Aasland in branch 'master':
bpo-43434: Move sqlite3.connect audit events to sqlite3.Connection.__init__ (GH-25818)
https://github.com/python/cpython/commit/c96cc089f60d2bf7e003c27413c3239ee9de2990
msg392736 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-05-02 21:25
We could get this one in after beta 1 anyway, but sure, it's in.

The backports are going to have to be manual, I suspect...
msg392737 - (view) Author: Erlend E. Aasland (erlendaasland) * (Python triager) Date: 2021-05-02 21:29
Thanks! :) I'll fix the backports.
msg392742 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-05-02 22:04
Thanks, Erlend! Appreciate how quickly you got onto that, and the quality of your work.
msg392743 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-05-02 22:11
New changeset cbb7b9ed4a6069a2cb2e2f809926c2cfa332a493 by Erlend Egeberg Aasland in branch 'master':
bpo-43434: Clean up sqlite3.connect() after GH-25818 (GH-25823)
https://github.com/python/cpython/commit/cbb7b9ed4a6069a2cb2e2f809926c2cfa332a493
msg392745 - (view) Author: Erlend E. Aasland (erlendaasland) * (Python triager) Date: 2021-05-02 22:29
Thanks, Steve, that means a lot! Glad to help. Thank you for getting it into beta1. Having the new event out there with the wrong object passed to it would have been a tiny bit embarrassing :)
msg392748 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-05-02 22:43
New changeset ad73d1657ca3591b1dd1d15bb80ce83ca7fc3223 by Erlend Egeberg Aasland in branch '3.9':
bpo-43434: Move sqlite3.connect audit event to sqlite3.Connection.__init__ (GH-25818)
https://github.com/python/cpython/commit/ad73d1657ca3591b1dd1d15bb80ce83ca7fc3223
msg392749 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-05-02 22:55
New changeset 10665ac37313560fe87460cf4a5c26677049bf62 by Erlend Egeberg Aasland in branch '3.8':
bpo-43434: Move sqlite3.connect audit events to sqlite3.Connection.__init__ (GH-25818)
https://github.com/python/cpython/commit/10665ac37313560fe87460cf4a5c26677049bf62
History
Date User Action Args
2021-05-02 22:56:58steve.dowersetstatus: open -> closed
resolution: fixed
stage: patch review -> resolved
2021-05-02 22:55:36steve.dowersetmessages: + msg392749
2021-05-02 22:43:29miss-islingtonsetnosy: + miss-islington
pull_requests: + pull_request24514
2021-05-02 22:43:09steve.dowersetmessages: + msg392748
2021-05-02 22:29:18erlendaaslandsetmessages: + msg392745
2021-05-02 22:19:01erlendaaslandsetpull_requests: + pull_request24513
2021-05-02 22:11:01steve.dowersetmessages: + msg392743
2021-05-02 22:04:32steve.dowersetmessages: + msg392742
2021-05-02 21:46:44erlendaaslandsetpull_requests: + pull_request24510
2021-05-02 21:43:48erlendaaslandsetstage: backport needed -> patch review
pull_requests: + pull_request24509
2021-05-02 21:29:45erlendaaslandsetmessages: + msg392737
2021-05-02 21:25:47steve.dowersetmessages: + msg392736
stage: patch review -> backport needed
2021-05-02 21:25:25steve.dowersetmessages: + msg392735
2021-05-02 20:26:41erlendaaslandsetmessages: + msg392724
2021-05-02 16:17:12erlendaaslandsetmessages: + msg392709
2021-05-02 16:04:16erlendaaslandsetstage: patch review
pull_requests: + pull_request24504
2021-05-02 14:39:02steve.dowersetmessages: + msg392702
2021-04-30 08:47:28erlendaaslandsetmessages: + msg392393
2021-03-08 12:54:11erlendaaslandsetfiles: + patch.diff
keywords: + patch
2021-03-08 12:53:59erlendaaslandcreate