not distinguishing sql statement with mixed stringbased query construction and sanitised parameterised sql query #1302
Description
Describe the bug
Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
Severity: Medium Confidence: Low
CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html)
More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b608_hardcoded_sql_expressions.html
delete_sql = f""" DELETE from {table} where asset_id = :asset_id""", {
'asset_id': asset_id,
}
the above is a sql query with a mix of string construction, delete from {table} and value parameter asset_id =:asset_id, bandit has identified it as possible isue
if {table} is changed to :table the following error is returned
exp = ('DELETE from :table where asset_id = :asset_id', {'asset_id': 'nhe_105932', 'table': 'G7_ASSETS'})
E sqlite3.OperationalError: near ":table": syntax error
Reproduction steps
1. create a python file
2. = 'tt'
asset_id = 111
delete_sql = f""" DELETE from {table} where asset_id = :asset_id""", {
'asset_id': asset_id,
}
3. run bandit
...Expected behavior
no warning
Bandit version
1.8.3 (Default)
Python version
3.11
Additional context
bandit 1.8.6
python version = 3.11.8 (main, Mar 22 2024, 13:25:41) [MSC v.1938 64 bit (AMD64)]