src/hg/gsid/gsidMember/gsidMember.c 44ccfacbe3a3d4b300f80d48651c77837a4b571e

44ccfacbe3a3d4b300f80d48651c77837a4b571e
galt
  Tue Apr 26 11:12:02 2022 -0700
SQL INJECTION Prevention Version 2 - this improves our methods by making subclauses of SQL that get passed around be both easy and correct to use. The way that was achieved was by getting rid of the obscure and not well used functions sqlSafefFrag and sqlDyStringPrintfFrag and replacing them with the plain versions of those functions, since these are not needed anymore. The new version checks for NOSQLINJ in unquoted %-s which is used to include SQL clauses, and will give an error the NOSQLINJ clause is not present, and this will automatically require the correct behavior by developers. sqlDyStringPrint is a very useful function, however because it was not enforced, users could use various other dyString functions and they operated without any awareness or checking for SQL correct use. Now those dyString functions are prohibited and it will produce an error if you try to use a dyString function on a SQL string, which is simply detected by the presence of the NOSQLINJ prefix.

diff --git src/hg/gsid/gsidMember/gsidMember.c src/hg/gsid/gsidMember/gsidMember.c
index 2676d68..74551d5 100644
--- src/hg/gsid/gsidMember/gsidMember.c
+++ src/hg/gsid/gsidMember/gsidMember.c
@@ -141,33 +141,36 @@
 boundary[i]=0;
 return cloneString(boundary);
 }
 
 
 /* --- update passwords file ----- */
 
 void updatePasswordsFile(struct sqlConnection *conn)
 /* update the passwords file containing email:encryptedPassword */
 {
 struct sqlResult *sr;
 char **row;
 
 FILE *out = mustOpen("../conf/passwords", "w");
 
-sr = sqlGetResult(conn,
-NOSQLINJ "select email,password from members where activated='Y'"
+char query[1024];
+sqlSafef(query, sizeof query, 
+"select email,password from members where activated='Y'"
 " and (expireDate='' or (current_date() < expireDate))");
+
+sr = sqlGetResult(conn, query);
 while ((row = sqlNextRow(sr)) != NULL)
     {
     fprintf(out,"%s:%s\n",row[0],row[1]);
     }
 sqlFreeResult(&sr);
 
 carefulClose(&out);
 
 }
 
 
 
 
 /* ---------- reverse DNS function --------- */
 
@@ -185,62 +188,63 @@
 hp = gethostbyaddr(&sock.sin_addr,sizeof(sock.sin_addr),AF_INET);
 if (!hp) return NULL;
 return cloneString(hp->h_name);
 }
 
 
 /* -------- paypal functions ------ */
 
 void appendSqlField(struct dyString* dy, char *varName, struct cgiVar *cgiVars)
 /* append the next field to the sql insert statement */
 {
 boolean isFirstField = dy->stringSize == 0;
 if (isFirstField)
     sqlDyStringPrintf(dy,"insert into transactions set ");
 
-sqlDyStringPrintf(dy,"%-s%s='%s'",
-    isFirstField ? "" : ", ",
+if (!isFirstField)
+    sqlDyStringPrintf(dy,",");
+sqlDyStringPrintf(dy,"%s='%s'",
     varName,
     cgiUsualString(varName,""));
 struct cgiVar *this = NULL;
 for(this=cgiVars;this;this=this->next)
     {
     if (sameString(this->name,varName))
 	this->saved = TRUE;
     }
 }
 
 
 void processIpn(struct sqlConnection *conn)
 /* process Instant Payment Notification
  *  Steps:
  *   verify server source name
  *   write to log
  *   compose post pack to paypal.com or sandbox
  *     todo: optimize this with https
  *   verify response
  *   write transaction to ipn table
  *   mark user as paid if transaction is completed
  *    (matching on email)
  *   activate user account if completed by updating "passwords" file.
  */
 {
 
 /* save the ipn post variables received to the log regardless */
 struct cgiVar *this=NULL, *cgiVars = cgiVarList();
 FILE *f=mustOpen("ipn.log","a");
-struct dyString *dy=newDyString(256);
+struct dyString *dy=dyStringNew(256);
 struct dyString *dyVerify = NULL;
 char *paypalServer = cfgOption("paypalServer");
 dyStringAppend(dy,"../cgi-bin/webscr?cmd=_notify-validate");
 for(this=cgiVars;this;this=this->next)
     {
     fprintf(f,"%s=%s\n", this->name, this->val);
     char *encodedVal = cgiEncode(this->val);
     dyStringPrintf(dy,"&%s=%s", this->name, encodedVal);
     freeMem(encodedVal);
     this->saved = FALSE; /* clear now, use later */
     }
 fflush(f);
 
 /* verify ipn sender ip */
 char *remoteAddr=getenv("REMOTE_ADDR");
@@ -326,31 +330,31 @@
 appendSqlField(dy,"address_status",cgiVars);
 appendSqlField(dy,"residence_country",cgiVars);
 appendSqlField(dy,"payer_email",cgiVars);
 appendSqlField(dy,"payer_id",cgiVars);
 appendSqlField(dy,"payer_status",cgiVars);
 appendSqlField(dy,"payment_type",cgiVars);
 appendSqlField(dy,"payment_gross",cgiVars);
 appendSqlField(dy,"payment_fee",cgiVars);
 appendSqlField(dy,"business",cgiVars);
 appendSqlField(dy,"referrer_id",cgiVars);
 appendSqlField(dy,"receiver_id",cgiVars);
 appendSqlField(dy,"charset",cgiVars);
 appendSqlField(dy,"custom",cgiVars);
 appendSqlField(dy,"notify_version",cgiVars);
 appendSqlField(dy,"verify_sign",cgiVars);
-struct dyString *dyOther=newDyString(256);
+struct dyString *dyOther=dyStringNew(256);
 /* catchall for fields we did not anticipate, or future fields */
 for(this=cgiVars;this;this=this->next)
     {
     if (!this->saved)
 	dyStringPrintf(dyOther,"%s=%s\\n", this->name, this->val);
     /* remove these vars from the cart for better security/privacy */
     cartRemove(cart, this->name);
     }
 sqlDyStringPrintf(dy,", otherFields='%s'", dyOther->string);
 dyStringFree(&dyOther);
 
 //debug  TODO: clean that out of trash
 //writeGulp("../trash/debug.sql", dy->string, dy->stringSize);
 
 sqlUpdate(conn,dy->string);
@@ -465,31 +469,33 @@
 dyStringFree(&dyVerify);
 }
 
 /* -------- functions ---- */
 
 void debugShowAllMembers(struct sqlConnection *conn)
 /* display all members */
 {
 struct sqlResult *sr;
 char **row;
 
 hPrintf("<h1>Members</h1>");
 hPrintf("<table>");
 hPrintf("<th>email</th><th>password</th>");
 
-sr = sqlGetResult(conn, NOSQLINJ "select * from members");
+char query[1024];
+sqlSafef(query, sizeof query, "select * from members");
+sr = sqlGetResult(conn, query);
 while ((row = sqlNextRow(sr)) != NULL)
     {
     hPrintf("<tr><td>%s</td><td>%s</td></tr>",row[0],row[1]);
     }
 sqlFreeResult(&sr);
 
 hPrintf("</table>");
 }
 
 
 
 void lostPasswordPage(struct sqlConnection *conn)
 /* draw the lost password page */
 {
 hPrintf(
@@ -1118,31 +1124,32 @@
 
     hPrintf("<h1>Account Information for %s:</h1>\n",m->email);
     hPrintf("<table>\n");
     hPrintf("<tr><td align=right>name:</td><td>%s</td><tr>\n",m->name);
     hPrintf("<tr><td align=right>phone:</td><td>%s</td><tr>\n",m->phone);
     hPrintf("<tr><td align=right>institution:</td><td>%s</td><tr>\n",m->institution);
     hPrintf("<tr><td align=right>type:</td><td>%s</td><tr>\n",m->type);
     hPrintf("<tr><td align=right>amount paid:</td><td>$%8.2f</td><tr>\n",m->amountPaid);
     hPrintf("<tr><td align=right>expiration:</td><td>%s</td><tr>\n",m->expireDate);
     hPrintf("<tr><td align=right>activated:</td><td>%s</td><tr>\n",m->activated);
     hPrintf("</table>\n");
     hPrintf("<br>\n");
 
 
     /* add payment button if needed */
-    char *currentDate=sqlQuickString(conn, NOSQLINJ "select current_date()");
+    sqlSafef(query, sizeof query, "select current_date()");
+    char *currentDate=sqlQuickString(conn, query);
     if (!sameString(m->activated,"Y") || strcmp(currentDate,m->expireDate)>0)
 	{
 	drawPaymentButton(conn, m->type);
 	}
     freez(&currentDate);
 
     hPrintf("Return to <a href=\"gsidMember\">signup</A>.<br>\n");
     hPrintf("Go to <a href=\"/\">GSID HIV Data Browser</A>.<br>\n");
     }
 else
     {
     hPrintf("<h1>Invalid User/Password</h1>\n",m->email);
     hPrintf("Return to <a href=\"gsidMember\">signup</A>.<br>\n");
     }