AppSec.Science

Secure-by-Design SQL in Robot Framework / RPA

Redesigning the RPA Framework database keyword to be secure by design: adding parameterized query support upstream to close a SQL injection class affecting low-code/RPA automations, plus a writeup, an exploit/fix demo, and an OWASP cheatsheet.

View on GitHub →
Robot FrameworkRPA FrameworkPythonSQL InjectionSecure by Design

Low-code/RPA platforms put database access in the hands of citizen developers: business technologists without a traditional security background. That makes the design of the underlying keywords decisive: if the easy path is the insecure path, an entire class of automations inherits the flaw. This project takes that idea seriously and redesigns an existing feature to be secure by design: the database query keyword in RPA Framework for Robot Framework.

The vulnerability

The documented, idiomatic way to run a query built strings by hand:

${query}=    Format String    INSERT INTO students (name) VALUES ('{}');    ${student_name}
Query    ${query}

That is textbook SQL injection. A ${student_name} of Robert'); DROP TABLE Students;-- turns one statement into two, and there is no separation between code and data. Because this was the example in the docs, the vulnerability was effectively the default.

The redesign - a safe path upstream

Rather than just warn people off the pattern, the fix was contributed where it belongs: in the library. The PR to rpaframework (#899) added a data parameter to the Query keyword that is passed straight to cursor.execute(), giving Robot Framework users real parameter binding, with data kept separate from code at the driver level:

${query}=    Set Variable    INSERT INTO students (name) VALUES (%s);
Query    ${query}    data=("${student_name}", )

The PR shipped with Python and Robot Framework tests and updated documentation so the recommended example is now the safe one. It was reviewed, merged, and released, closing the gap for every downstream user, not just the one who reported it.

What’s included

  • Writeup: the full analysis of the injection mechanics, and a comparison of the four defenses (parameterized queries as the primary fix, plus stored procedures, database-specific escaping, and input validation as secondary controls).
  • Upstream PR: the actual feature work that made parameterized queries available in RPA.Database.
  • Exploit & fix demo: a runnable Robot Framework project showing the vulnerable pattern being exploited and the parameterized version defeating the same payload.
  • OWASP cheatsheet: Robot Framework / RPA injection examples and remediation contributed to the OWASP Citizen Development Top 10 (“06 – Injection”).

Why it matters

Low-code and RPA democratize automation, but they also resurrect vulnerability classes the software industry long considered solved, because the people building these automations were never the audience for the original lessons. Fixing the library default, documenting the why, and feeding it back into OWASP guidance is the secure-by-design playbook: make the safe path available, idiomatic, and the documented recommendation.