ProgrammingError only '%s', '%b', '%t' are allowed as placeholders, got '%C'

[DmytroLitvinov]

Hi there,

Found an issue when some spam attacks on a website like /%C0, we have a next issue in SQL query:

I am open to fixing that issue but unsure where to start and how to fix it. Ready to provide fix on your assistance.

[wesleykendall]

I'm not sure what the issue is in django-pgactivity. Can you elaborate?

[DmytroLitvinov]

As I understand, it adds context via middleware and then in the sql variable we can see that when URL was /%C0 then psycopg raises an issue - ProgrammingError only '%s', '%b', '%t' are allowed as placeholders, got '%C'

In my case URL is next https://www.mydomain.com//%C0.
Maybe you have sites which use that library with middleware attached to project?

Sorry if I miss something or explained in unclear way.

[wesleykendall]

I see, this makes sense! Yes this was an oversight. We should be properly escaping % with %%. I will mark this as a bug.

It's difficult for me to commit to when it could be fixed, but I welcome PRs

[DmytroLitvinov]

Do you think will that work if we just make a next quick bug-fix in that line https://github.com/AmbitionEng/django-pgactivity/blob/86b95fe340ad67fb3f0bfc8302264e1fe4bc7cff/pgactivity/runtime.py#L17C5-L17C70

As: sql = f"/*pga_context={metadata_str.replace('%', '%%').replace('*', '-')}*/\n" + sql

Or we can decode URL via unquote before passing it like.

But for me it sounds first approach is better since it is not only in URL can be passed, but also as additional context via manual code (not via middleware which does it automatically)