Three years ago, #FDroid had a similar kind of attempt as the #xz #backdoor. A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn't found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a #SQLinjection #vuln. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think its relevant now
@eighthave Interesting. However, with a project that relies on string concatenation for producing SQL queries rather than prepared statements – this kind of thing is to be expected, most likely it was an honest mistake. The issue was also fairly obvious, someone attempting to introduce it maliciously should have expected it to be caught.
@WPalant Ironically, it could be because I was so aware of the crappy state of things that I caught this. The author of the SQL code was no longer involved. I suck at SQL but was well aware that string concat to build SQL queries is a bad idea. So I was terrified to merge any changes to the SQL without really confirming them.
In any case, we've since replaced all that crazy code with libraries that provide much more protection.
