Comments (2)
ellie
commented on September 18, 2024
2
I totally understand where the concern is coming from, although as you say, given the user already owns the database file (and likely has a plaintext history file too), malicious actors really aren't of concern
I think the solution to this is twofold. I've actually been using the SQL injection as... a feature. Bad as it may sound at first, being able to use SQL to query my history is useful!
I do agree though: weird directory names or other inputs might cause undesired results + this should definitely not be the case
Going forward I think the best approach would be to have both an explicit "SQL allowed" mode, and perhaps a "simple" mode where the query is far more literal (and sanitised)
Server side everything uses prepared statements with SQLx, so there shouldn't be any security concerns there
from atuin.
ellie
commented on September 18, 2024
1
Closing this as the fix can be tracked in #58
Thank you so much for both checking through the code, and taking the time to report this! 😄
from atuin.
Related Issues (20)
- [Bug]: Atuin fzf search to behave the same like my zsh fzf search
- [Bug]: atuin status with Error: unexpected trailing characters; the end of input was expected HOT 1
- [Bug]: atuin + starship + zsh + accept-line override is clearing previous command? HOT 1
- [Bug]: sqlite database corruption on network filesystem AFS HOT 1
- [Bug]: Cannot install on NixOS
- [Bug]: some commands are missed by atuin for no apparent reason? HOT 3
- feature request: allow disable "/" keybind applicable when "ctrl+r" is enabled (for ble.sh compatibility)
- [Bug]: Fish shell plugin not loaded on startup
- [Feature request]: search match syntax highlight
- [Bug]: Non-interactive search with limit=1 much slower when query is empty
- Feature: select entries using number in vim-normal mode HOT 1
- Feature HOT 2
- [Bug]: build fails with `atuin` depends on `env_logger`, with features: `anstream` but `env_logger` does not have these features. HOT 3
- [Bug]: panic/crash when executing on i686 system HOT 3
- [Bug]: Atuin seems to randomly "forget" lots of history also strange fuzzy search behavior. HOT 2
- [Bug]: Glitch after a "base64 --decode" command
- [Bug]: encryption key is not a valid base64 encoding with key_path
- [Bug]: History not synced between old machine and new HOT 3
- [Bug]: ctrl-n doesn't exit scroll on last line
- [Bug]: ctrl+r doesn't work in zsh with sshx.io HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from atuin.