Comments (6)
Thanks for your feedback. Currently the CMDB module works only on the MySQL backend, as described in http://ralph.allegrogroup.com/doc/cmdb.html#installation. We're planning to enable this feature for SQLite and PostgreSQL in a later version. Patches welcome :)
from ralph.
There is a raw SQL query in this file. i don't know how it managed to pass the code review, however, if you stick to standard django querysetting, you're good to go.
therefore, instead of:
MONTH(ch.time)=%s
use
from ralph.cmdb.models import CI
then query for the data:
now = datetime.now()
objects = CI.objects.filter( ... )
.filter(time__month = month).filter(time__month = now.year)
and agregate ( https://docs.djangoproject.com/en/dev/topics/db/aggregation/ )
unless you validate the type / kwargs['type'] argument which is defined as \w+ in urls.py, this query is vunerable for SQL injection.
from ralph.
The raw query is not pretty, and we will eventually replace it with something more integrated with the ORM (it's a little bit trickier than it looks), but you are mistaken about it being vulnerable to SQL injection, as cursor.execute()
escapes the values that are passed into it, so don't panic.
from ralph.
indeed, i was mistaken by %s in the query and i automatically assumed there was % [params] somwhere further.
i noticed that you also use sqlalchemy, so even if django itself doesn't cut it for you, you can use sqlalchemy wrapper for django's models and do
model.sa.query()
and so on.
from ralph.
We will certainly get to that and come up with a solution that works on all supported database backends.
from ralph.
I'm closing this issue - there was no activity here for long enough and AFAIK, we are not going for db backends other than MySQL in the nearest future.
from ralph.
Related Issues (20)
- Networks missing import & export options
- Multiple Stored XSS in Operations - Ticket ID
- ARM64 support
- ralh is still based on django 1.8 when this is no longer supported
- docker-compose.yml.tmpl missing / located elsewhere HOT 2
- the ralph default password? HOT 3
- How to add vmware server?
- Delete user sends me Server Error (500) HOT 3
- server error 500 fresh install HOT 2
- error when exporting / importing rack list
- data center asset import doesn't show 'management_ip'
- demo login credits wrong HOT 4
- Is this project active? HOT 1
- DC visualization couldn't show device view on front and rear sides, which is really weird.
- Support PostgreSQL in official docker image HOT 2
- Unable to load static resources
- Operations tab on Virtual Server (VM) description
- Server error 500 HOT 4
- demodata not working
- Online Demo Not Working HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ralph.