src/hg/cirm/cdw/cdwWebBrowse/cdwWebBrowse.c 44ccfacbe3a3d4b300f80d48651c77837a4b571e

44ccfacbe3a3d4b300f80d48651c77837a4b571e
galt
  Tue Apr 26 11:12:02 2022 -0700
SQL INJECTION Prevention Version 2 - this improves our methods by making subclauses of SQL that get passed around be both easy and correct to use. The way that was achieved was by getting rid of the obscure and not well used functions sqlSafefFrag and sqlDyStringPrintfFrag and replacing them with the plain versions of those functions, since these are not needed anymore. The new version checks for NOSQLINJ in unquoted %-s which is used to include SQL clauses, and will give an error the NOSQLINJ clause is not present, and this will automatically require the correct behavior by developers. sqlDyStringPrint is a very useful function, however because it was not enforced, users could use various other dyString functions and they operated without any awareness or checking for SQL correct use. Now those dyString functions are prohibited and it will produce an error if you try to use a dyString function on a SQL string, which is simply detected by the presence of the NOSQLINJ prefix.

diff --git src/hg/cirm/cdw/cdwWebBrowse/cdwWebBrowse.c src/hg/cirm/cdw/cdwWebBrowse/cdwWebBrowse.c
index 903028d..50e8cea 100644
--- src/hg/cirm/cdw/cdwWebBrowse/cdwWebBrowse.c
+++ src/hg/cirm/cdw/cdwWebBrowse/cdwWebBrowse.c
@@ -819,70 +819,70 @@
 	else
 	    {
 	    intValTreeAdd(searchPassTree, sqlUnsigned(tsr->itemId), tsr);
 	    }
 	}
     if (securityColumnsInTable)
 	slReverse(&efList);
     }
 
 
 /* Loop through all files constructing a SQL where clause that restricts us
  * to just the ones that we're authorized to hit, and that also pass initial where clause
  * if any. */
 struct dyString *where = dyStringNew(0);
 if (!isEmpty(initialWhere))
-    sqlDyStringPrintfFrag(where, "(%-s)", initialWhere); // trust
+    sqlDyStringPrintf(where, "(%-s)", initialWhere); // trust
 if (securityColumnsInTable)
     {
     if (user)
 	{
 	// get all groupIds belonging to this user
 	char query[256];
 	if (!user->isAdmin)
 	    {
 	    sqlSafef(query, sizeof(query), 
 		"select groupId from cdwGroupUser "
 		" where cdwGroupUser.userId = %d", user->id);
 	    struct sqlResult *sr = sqlGetResult(conn, query);
 	    char **row;
 	    if (!isEmpty(where->string))
 		sqlDyStringPrintf(where, " and ");
-	    sqlDyStringPrintfFrag(where, "(allAccess > 0");
+	    sqlDyStringPrintf(where, "(allAccess > 0");
 	    while ((row = sqlNextRow(sr)) != NULL)
 		{
 		int groupId = sqlUnsigned(row[0]);
 		sqlDyStringPrintf(where, " or FIND_IN_SET('%u', groupIds)", groupId);
 		}
 	    sqlFreeResult(&sr);
 	    sqlDyStringPrintf(where, ")");
 	    }
 	}
     else
 	{
 	if (!isEmpty(where->string))
 	    sqlDyStringPrintf(where, " and ");
-	sqlDyStringPrintfFrag(where, "allAccess > 0");
+	sqlDyStringPrintf(where, "allAccess > 0");
 	}
     }
 
 if (efList 
     || (securityColumnsInTable && (!isEmpty(searchString)))) // have search terms but nothing was found
     {
     if (!isEmpty(where->string))
 	sqlDyStringPrintf(where, " and ");
-    sqlDyStringPrintfFrag(where, "file_id in (0");	 // initial 0 never found, just makes code smaller
+    sqlDyStringPrintf(where, "file_id in (0");	 // initial 0 never found, just makes code smaller
     for (ef = efList; ef != NULL; ef = ef->next)
 	{
 	if (searchPassTree == NULL || securityColumnsInTable || intValTreeFind(searchPassTree, ef->id) != NULL)
 	    {
 	    sqlDyStringPrintf(where, ",%u", ef->id);
 	    }
 	}
     sqlDyStringPrintf(where, ")");
     }
 
 rbTreeFree(&searchPassTree);
 
 // return three variables
 *retWhere  = where;
 *retList   = efList;
@@ -903,40 +903,40 @@
 struct dyString *dummy;
 struct dyString *filteredWhere;
 char *table = isEmpty(initialWhere) ? getCdwTableSetting("cdwFileFacets") : getCdwTableSetting("cdwFileTags");
 
 webTableBuildQuery(cart, table, accWhere->string, "cdwBrowseFiles", fileTableFields, FALSE, &dummy, &filteredWhere);
 
 // Selected Facet Values Filtering
 char *selectedFacetValues=cartUsualString(cart, "cdwBrowseFiles_facet_selList", "");
 struct facetField *selectedList = deLinearizeFacetValString(selectedFacetValues);
 struct facetField *sff = NULL;
 struct dyString *facetedWhere = dyStringNew(1024);
 for (sff = selectedList; sff; sff=sff->next)
     {
     if (slCount(sff->valList)>0)
 	{
-	sqlDyStringPrintfFrag(facetedWhere, " and ");  // use Frag to prevent NOSQLINJ tag
+	sqlDyStringPrintf(facetedWhere, " and ");  // use Frag to prevent NOSQLINJ tag
 	sqlDyStringPrintf(facetedWhere, "ifnull(%s,'n/a') in (", sff->fieldName);
 	struct facetVal *el;
 	for (el=sff->valList; el; el=el->next)
 	    {
 	    sqlDyStringPrintf(facetedWhere, "'%s'", el->val);
 	    if (el->next)
 		sqlDyStringPrintf(facetedWhere, ",");
 	    }
-	sqlDyStringPrintfFrag(facetedWhere, ")");
+	sqlDyStringPrintf(facetedWhere, ")");
 	}
     }
 
 // get their fileIds
 struct dyString *tagQuery = sqlDyStringCreate("SELECT file_id from %s %-s", table, filteredWhere->string); // trust
 sqlDyStringPrintf(tagQuery,  "%-s", facetedWhere->string); // trust because it was created safely
 struct slName *fileIds = sqlQuickList(conn, tagQuery->string);
 
 // retrieve the cdwFiles objects for these
 struct dyString *fileQuery = sqlDyStringCreate("SELECT * FROM cdwFile WHERE id IN (");
 sqlDyStringPrintValuesList(fileQuery, fileIds);
 sqlDyStringPrintf(fileQuery, ")");
 return cdwFileLoadByQuery(conn, fileQuery->string);
 }
 
@@ -1602,77 +1602,77 @@
     slNameAddHead(&allFieldList, row[0]);
     }
 sqlFreeResult(&sr);
 slReverse(&allFieldList);
 
 // Verify the query restrictions are on existing fields
 cdwCheckRqlFields(rql, allFieldList);
 
 // Obtain the list of fields to be returned by the query
 struct slName *returnedFieldList = wildExpandList(allFieldList, rql->fieldList, TRUE);
 
 // Retrieve results from the server
 struct dyString *sqlQuery = dyStringNew(0);
 sqlDyStringPrintf(sqlQuery, "select ");
 struct slName *l = returnedFieldList;
-sqlDyStringPrintfFrag(sqlQuery, "%s", l->name);
+sqlDyStringPrintf(sqlQuery, "%s", l->name);
 l = l->next;
 while (l != NULL)
     {
-    sqlDyStringPrintfFrag(sqlQuery, ",%s", l->name);
+    sqlDyStringPrintf(sqlQuery, ",%s", l->name);
     l = l->next;
     }
-sqlDyStringPrintfFrag(sqlQuery, " from cdwFileTags");
+sqlDyStringPrintf(sqlQuery, " from cdwFileTags");
 
 int whereClauseStarted = 0;
 if (!isEmpty(where))
     {
     // Can't use sqlDyString functions due to the possible presence of valid wildcards, but
     // the while clause has already been validated by passing through the more restrictive
     // rql parser anyway.
-    dyStringPrintf(sqlQuery, " where %s", rqlParseToSqlWhereClause(rql->whereClause, FALSE));
+    sqlDyStringPrintf(sqlQuery, " where %-s", rqlParseToSqlWhereClause(rql->whereClause, FALSE));
     whereClauseStarted = 1;
     }
 
 // Ensure the user has access to the data.  Access means either it's a public set (allAccess = 1) or one of the user's
 // associated group IDs appears in the groupIds field (or they're an admin).
 if ((user == NULL) || (!user->isAdmin))
     {
     if (whereClauseStarted == 0)
         {
-        dyStringPrintf(sqlQuery, " where ");
+        sqlDyStringPrintf(sqlQuery, " where ");
         whereClauseStarted = 1;
         }
     else
-        dyStringPrintf(sqlQuery, " and ");
-    sqlDyStringPrintfFrag(sqlQuery, "(allAccess = 1");
+        sqlDyStringPrintf(sqlQuery, " and ");
+    sqlDyStringPrintf(sqlQuery, "(allAccess = 1");
     if (user != NULL)
         {
         // Handle group-based access for this user
         struct dyString *groupQuery = dyStringNew(0);
         sqlDyStringPrintf(groupQuery, "select groupId from cdwGroupUser where userId = %u\n", user->id);
         sr = sqlGetResult(conn, groupQuery->string);
         while ((row = sqlNextRow(sr)) != NULL)
             {
-            sqlDyStringPrintfFrag(sqlQuery, " or find_in_set(\"%s\", groupIds) > 0", row[0]);
+            sqlDyStringPrintf(sqlQuery, " or find_in_set(\"%s\", groupIds) > 0", row[0]);
             }
         sqlFreeResult(&sr);
         }
-    sqlDyStringPrintfFrag(sqlQuery, ")");
+    sqlDyStringPrintf(sqlQuery, ")");
     }
 // limit
-sqlDyStringPrintfFrag(sqlQuery, " limit %d", limit);
+sqlDyStringPrintf(sqlQuery, " limit %d", limit);
 
 // Now to actually fetch the data!
 sr = sqlGetResult(conn, sqlQuery->string);
 struct slName *fieldNames = sqlResultFieldList(sr);
 struct slRef *resultData = NULL;
 while ((row = sqlNextRow(sr)) != NULL)
     {
     struct slPair *fieldList = NULL;
     struct slName *fieldName = fieldNames;
     int fieldIdx = 0;
     while (fieldName != NULL)
         {
         char *val = NULL;
         if (!isEmpty(row[fieldIdx]))
             val = cloneString(row[fieldIdx]);
@@ -2283,31 +2283,31 @@
 }
 
 void initFields()
 /* initialize fields */
 {
 visibleFacetFields = getCdwSetting("cdwFacetFields", FILEFACETFIELDS);
 char temp[1024];
 safef(temp, sizeof temp, "%s,%s", FILEFIELDS, visibleFacetFields);
 fileTableFields = cloneString(temp);
 
 // filter fields against fields in current facet table
 struct sqlConnection *conn = sqlConnect(cdwDatabase);
 struct slName *fNames = sqlFieldNames(conn, getCdwTableSetting("cdwFileFacets"));
 sqlDisconnect(&conn);
 
-struct dyString *dy = newDyString(128);
+struct dyString *dy = dyStringNew(128);
 char *fieldNames[128];
 char *tempFileTableFields = cloneString(fileTableFields);
 int fieldCount = chopString(tempFileTableFields, ",", fieldNames, ArraySize(fieldNames));
 int i;
 for (i = 0; i<fieldCount; i++)
     {
     if (slNameInList(fNames, fieldNames[i]))
 	{
 	if (dy->stringSize > 0)
 	    dyStringAppendC(dy, ',');
 	dyStringAppend(dy, fieldNames[i]);
 	}
     }
 freeMem(fileTableFields);
 fileTableFields = dyStringCannibalize(&dy);