Add sql injection warning

hupe1980 · Jul 28, 2023 · 6821b93 · 6821b93
1 parent 9d609c7
commit 6821b93
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 2 deletions.
diff --git a/docs/content/en/docs/chains/api.md b/docs/content/en/docs/chains/api.md
@@ -8,6 +8,8 @@ The api chain has the potential to be susceptible to Server-Side Request Forgery
 
 To mitigate the risks associated with SSRF attacks, it is strongly advised to use the VerifyURL hook diligently. The VerifyURL hook should be implemented to validate and ensure that the generated URLs are restricted to authorized and safe resources only. By doing so, unauthorized access to sensitive resources can be prevented, and the application's security can be significantly enhanced.
 
+It is the responsibility of developers and administrators to ensure the secure usage of the API chain. We strongly recommend thorough testing, security reviews, and adherence to secure coding practices to protect against potential security threats, including SSRF and other vulnerabilities.
+
 See an example below.
 {{% /alert %}}
 

diff --git a/docs/content/en/docs/chains/sql.md b/docs/content/en/docs/chains/sql.md
@@ -3,6 +3,21 @@ title: SQL
 description: All about sql chains.
 weight: 90
 ---
+{{% alert title="Warning" color="warning" %}}
+The SQL chain is a powerful tool for executing SQL queries dynamically. However, it should be used with caution to prevent potential SQL injection vulnerabilities. SQL injection is a serious security risk that can lead to unauthorized access, data manipulation, and potentially compromising the entire database.
+
+To mitigate the risks of SQL injection, it is crucial to follow these best practices while using the SQL chain:
+
+- Least Privilege Principle: Ensure that the database user used in the application has the least privilege necessary to perform its required tasks. Restrict the user's permissions to only the required tables and operations.
+
+- Table Whitelisting or Blacklisting: Use the Tables or Exclude options to reduce the allowed tables that can be accessed via the SQL chain. This will limit the potential impact of any SQL injection attack by restricting the scope of accessible tables.
+
+- VerifySQL Hook: Implement the VerifySQL hook diligently to validate and sanitize user input. This hook should be used to check and ensure that the generated SQL queries are safe and adhere to the allowed tables and queries.
+
+It is the responsibility of the application developers and administrators to ensure the secure usage of the SQL chain. Failure to do so can lead to severe security breaches and compromise the integrity of the application and database. We strongly recommend thorough testing, security reviews, and adherence to secure coding practices to protect against SQL injection and other security threats.
+
+See an example below.
+{{% /alert %}}
 
 ```go
 package main
@@ -51,7 +66,9 @@ func main() {
 		}
 	}
 
-	sql, err := chain.NewSQL(openai, engine)
+	sql, err := chain.NewSQL(openai, engine, func(o *chain.SQLOptions) {
+		o.Tables = []string{"employee"}
+	})
 	if err != nil {
 		log.Fatal(err)
 	}

diff --git a/examples/sql_chain/main.go b/examples/sql_chain/main.go
@@ -42,7 +42,9 @@ func main() {
 		}
 	}
 
-	sql, err := chain.NewSQL(openai, engine)
+	sql, err := chain.NewSQL(openai, engine, func(o *chain.SQLOptions) {
+		o.Tables = []string{"employee"}
+	})
 	if err != nil {
 		log.Fatal(err)
 	}