fix get_one sqla.ModelView

[samialfattani]

A run-time error is raised when get_one() is called in flask_admin.contrib.sqla.view.ModelView

To replicate the error try to browse this: /admin/details/?id=1,2

Risk:
A security vulnerability is raised by Tnable where it could lead to Blind SQL Inejection which is classified as a High risk vulnerability. This can be exploited in /edit and /details

A test case is added to make sure that /admin/details/?id=1,2 is working as expected

[ElLorans]

The value is passed to SQLAlchemy’s Session.get() using bound parameters, not interpolated SQL, so the security vulnerability is a false positive.
Passing 1,2 on a model with int primary key returns a 400 response, which is correct, so I am inclined towards closing this PR.

[ElLorans]

Why tools.escape?
Looks unnecessary to me

[samialfattani]

hmmm, what if the actual string-single-PK="1,2", is it possible to navigate /admin/details?id=1,2 without escaping ?

[ElLorans]

yes, by passing another time iterdecode. Here you don't need to escape, but to undo the escaping needed to build the url.

[samialfattani]

what do you mean by build the url ?

[ElLorans]

The url that is linked in a view e.g. the one for editing will be edit/?id=1,2 but 1,2 will be escaped. You can check it by clicking on the pencil icon of a list view

[samialfattani]

ok, yes, it will be escaped, but what if the user wrote edit/?id=1,2 manually in the browser ? then 500 will be returned with error.

[samialfattani]

The value is passed to SQLAlchemy’s Session.get() using bound parameters, not interpolated SQL, so the security vulnerability is a false positive. Passing 1,2 on a model with int primary key returns a 400 response, which is correct, so I am inclined towards closing this PR.

Actually it returns 500!, here is what we got without this PR