-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding validation to check not to have ddl, dml commands in sqlSearch filter text #331
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me. Maybe another commiter can look at it too.
|
||
private final static String[] COMMENTS = { "--", "({", "/*", "#" }; | ||
|
||
private final static String SQL_PATTERN = "[a-zA-Z_=,.'\"`% ()0-9]*"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
! or <> is not allowed.... inequality or comparison cannot be done as part of sqlSearch
} | ||
} | ||
|
||
//Removing the space before and after '=' operator |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code between line 55 and 109 is futile in preventing unauthorised data access (office hierarchy restriction)....
For eg... it will throw an exception for string "' OR '1' = '1'"
but not for
a. "a' OR '1' = '1"
b. "a' OR '2' != '1'"
Basically we can retrieve all the data irrespective of user hierarchy restriction.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The main purpose of the fix is not to return un authorized data. In above cases, it won't return any data as where condition fails.
@@ -225,6 +228,7 @@ private String buildSqlStringFromClientCriteria(final SearchParameters searchPar | |||
|
|||
String extraCriteria = ""; | |||
if (sqlSearch != null) { | |||
SQLInjectionValidator.validateSQLInput(sqlSearch); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This check should done for all the string params that are received for eg. in this class it should be checked for externalId, name and orderBy etc......
Also for completeness these checks needs to be done across all read platform services
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of we are checking whether operand and value are same. This case will be considered as invalid sql
@@ -225,6 +228,7 @@ private String buildSqlStringFromClientCriteria(final SearchParameters searchPar | |||
|
|||
String extraCriteria = ""; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel supporting sqlSearch is futile..... based on the validation code, we can always find a workaround injection....
I suggest getting rid of this support....
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This use case is legacy and used by some customers. So we can't get rid of this fix.
So we have discussed internally before suggesting this fix.
@@ -225,6 +228,7 @@ private String buildSqlStringFromClientCriteria(final SearchParameters searchPar | |||
|
|||
String extraCriteria = ""; | |||
if (sqlSearch != null) { | |||
SQLInjectionValidator.validateSQLInput(sqlSearch); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of validating input param string.... I would suggest rewriting the query as prepared statements..... Have a list to add/track a value when a sql is appended.....
For eg.... replace extraCriteria.append(" and g.external_id = ").append(ApiParameterHelper.sqlEncodeString(externalId));
with
extraCriteria.append(" and g.external_id = ? ")
paramList.add(externalId)
convert the paramList to array and use it in the jdbcTemplate in the end while executing the query.....
I'm not sure if this approach could be used for order by clause
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My approach is simple. I am accepting any param. But both operand and value should not be equal which is solving the actual purpose of this fix.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd suggest to parse the params before we hit any depper layer ... so we can provide an early exit instead of relying to a depper level ...
No description provided.