44ccfacbe3a3d4b300f80d48651c77837a4b571e
galt
  Tue Apr 26 11:12:02 2022 -0700
SQL INJECTION Prevention Version 2 - this improves our methods by making subclauses of SQL that get passed around be both easy and correct to use. The way that was achieved was by getting rid of the obscure and not well used functions sqlSafefFrag and sqlDyStringPrintfFrag and replacing them with the plain versions of those functions, since these are not needed anymore. The new version checks for NOSQLINJ in unquoted %-s which is used to include SQL clauses, and will give an error the NOSQLINJ clause is not present, and this will automatically require the correct behavior by developers. sqlDyStringPrint is a very useful function, however because it was not enforced, users could use various other dyString functions and they operated without any awareness or checking for SQL correct use. Now those dyString functions are prohibited and it will produce an error if you try to use a dyString function on a SQL string, which is simply detected by the presence of the NOSQLINJ prefix.

diff --git src/hg/hgCoordConv/hgCoordConv.c src/hg/hgCoordConv/hgCoordConv.c
index 01ac341..45857ab 100644
--- src/hg/hgCoordConv/hgCoordConv.c
+++ src/hg/hgCoordConv/hgCoordConv.c
@@ -195,31 +195,31 @@
 for (db=dbList; db != NULL; db=db->next)
     {
     if(sameString("Human", db->organism) && !strstrNoCase(db->name, "zoo"))
 	array[i++] = cloneString(db->description);
     }
 dbDbFreeList(&dbList);
 *retArray = array;
 *retCount = count;
 }
 
 
 
 void appendWarningMsg(char *warning)
 /* keep track of error messages for the user */
 {
-struct dyString *warn = newDyString(1024);
+struct dyString *warn = dyStringNew(1024);
 dyStringPrintf(warn, "%s", warning);
 slAddHead(&webWarning, warn);
 }
 
 void posAbort(char *position)
 /** print error message about format of position input */
 {
 char buff[256];
 snprintf(buff, sizeof(buff), "Expecting position in the form chrN:10000-20000 got %s",
          (position != NULL ? position : ""));
 webAbort("Error:", buff );
 }
 
 void parseThePosition(char *origPos, char **chr, int *s, int *e)
 /** Parse the coordinate information from the user text */
@@ -240,46 +240,46 @@
 *tmp2 = '\0';
 tmp2++;
 *s = atoi(stripCommas(tmp));
 *e = atoi(stripCommas(tmp2));
 }
 
 static char *ccFreezeDbConversion(char *database, char *freeze, char *org)
 /* Find freeze given database or vice versa.  Pass in NULL
  * for parameter that is unknown and it will be returned
  * as a result.  This result can be freeMem'd when done. */
 {
 struct sqlConnection *conn = hConnectCentral();
 struct sqlResult *sr;
 char **row;
 char *ret = NULL;
-struct dyString *dy = newDyString(128);
+struct dyString *dy = dyStringNew(128);
 
 if (database != NULL)
     sqlDyStringPrintf(dy,"select description from dbDb where name = '%s' and (genome like '%s' "
                       "or genome like 'Zoo')", database, org);
 else if (freeze != NULL)
     sqlDyStringPrintf(dy,"select name from dbDb where description = '%s' and (genome like '%s' "
                       "or genome like 'Zoo')", freeze, org);
 else
     internalErr();
 sr = sqlGetResult(conn, dy->string);
 if ((row = sqlNextRow(sr)) != NULL)
     ret = cloneString(row[0]);
 sqlFreeResult(&sr);
 hDisconnectCentral(&conn);
-freeDyString(&dy);
+dyStringFree(&dy);
 return ret;
 }
 
 
 void checkArguments()
 /** setup our parameters depending on whether we've been called as a
     cgi script or from the command line */
 {
 hgTest = cgiBoolean("hgTest");
 numTests = cgiOptionalInt("numTests",0);
 origDb = cgiOptionalString("origDb");
 origGenome = cgiOptionalString("origGenome");
 newGenome = cgiOptionalString("newGenome");
 position = cgiOptionalString("position");
 chrom = cgiOptionalString("chrom");
@@ -306,31 +306,31 @@
     origGenome = ccFreezeDbConversion(NULL, origGenome, organism);
 if (newGenome != NULL)
     newGenome = ccFreezeDbConversion(NULL, newGenome, organism);
 
 /* make sure that we've got valid arguments */
 if ((  newGenome == NULL
     || origGenome == NULL
     || chrom == NULL
     || chromStart == -1
     || chromEnd == -1)
 &&  calledSelf)
     webAbort("Error:", "Missing some inputs.");
 
 if( origGenome != NULL && sameString(origGenome, newGenome))
     {
-    struct dyString *warning = newDyString(1024);
+    struct dyString *warning = dyStringNew(1024);
     dyStringPrintf(warning, "Did you really want to convert from %s to %s (the same genome)?",
                    ccFreezeDbConversion(origGenome, NULL, organism), \
                    ccFreezeDbConversion(newGenome, NULL, organism));
     appendWarningMsg(warning->string);
     dyStringFree(&warning);
     }
 }
 
 char *makeBrowserUrl(char *version, char*chrom, int start, int end)
 /** create a url of the form hgTracks likes */
 {
 char url[256];
 sprintf(url, "%sposition=%s:%d-%d&db=%s", browserUrl, chrom, start, end, version);
 return cloneString(url);
 }