Skip to content

#1668: prevent DSL injection in cover_qo factbase query#1752

Open
VasilevNStas wants to merge 1 commit into
zerocracy:masterfrom
VasilevNStas:1668-dsl-injection-cover-qo
Open

#1668: prevent DSL injection in cover_qo factbase query#1752
VasilevNStas wants to merge 1 commit into
zerocracy:masterfrom
VasilevNStas:1668-dsl-injection-cover-qo

Conversation

@VasilevNStas

@VasilevNStas VasilevNStas commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Description

lib/cover_qo.rb builds a factbase query by interpolating judge name. If the name contains ', the Sexp is malformed.

Fix

Escape single quotes in the judge name before query interpolation.

Closes #1668

Escape single quotes in judge name before Sexp interpolation.
@VasilevNStas

Copy link
Copy Markdown
Contributor Author

@yegor256 plz review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

lib/cover_qo.rb factbase query injection via judge name interpolation

1 participant