Skip to content

Fix SQL injection in MSSQL password rotation#2151

Merged
amangalampalli-ks merged 2 commits into
fix/sql-injection-via-pwd-rotationfrom
fix/sql-injection-via-pwd-rotation-int
Jun 16, 2026
Merged

Fix SQL injection in MSSQL password rotation#2151
amangalampalli-ks merged 2 commits into
fix/sql-injection-via-pwd-rotationfrom
fix/sql-injection-via-pwd-rotation-int

Conversation

@amangalampalli-ks

@amangalampalli-ks amangalampalli-ks commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Summary

Fixes SQL injection in MSSQL password rotation via rotate --password and adds defense-in-depth validation for user-supplied rotation passwords.

Changes

  • MSSQL plugin — Use parameterized ALTER LOGIN (%s) and validate/bracket-quote login names
  • rotate command — Reject unsafe --password characters (', ", ;, \, --) with a clear error naming the offending character(s)
  • Plugin manager — Read login/password from labeled typed record fields (KC-1163)
  • Tests — Add coverage for labeled-field rotation kwargs lookup

@amangalampalli-ks amangalampalli-ks self-assigned this Jun 15, 2026
@amangalampalli-ks amangalampalli-ks marked this pull request as ready for review June 15, 2026 08:27
sali-ks
sali-ks reviewed Jun 15, 2026
View reviewed changes
Comment thread keepercommander/plugins/mssql/mssql.py Outdated
@amangalampalli-ks amangalampalli-ks merged commit 8480c3e into fix/sql-injection-via-pwd-rotation Jun 16, 2026
4 checks passed
amangalampalli-ks added a commit that referenced this pull request Jun 16, 2026
@amangalampalli-ks
Fix SQL injection in MSSQL password rotation (#2151)
920b07a 
* Fix SQL injection in MSSQL password rotation and reject unsafe --password input

* allow / and . in login regex
sk-keeper pushed a commit that referenced this pull request Jun 16, 2026
@amangalampalli-ks @sk-keeper
Fix SQL injection in MSSQL password rotation (#2151)
8eff5c5 
* Fix SQL injection in MSSQL password rotation and reject unsafe --password input

* allow / and . in login regex
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sali-ks sali-ks sali-ks approved these changes

@pvagare-ks pvagare-ks pvagare-ks approved these changes

Assignees

@amangalampalli-ks amangalampalli-ks

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@amangalampalli-ks @sali-ks @pvagare-ks