src/hg/hgSession/hgSession.c 44ccfacbe3a3d4b300f80d48651c77837a4b571e

44ccfacbe3a3d4b300f80d48651c77837a4b571e
galt
  Tue Apr 26 11:12:02 2022 -0700
SQL INJECTION Prevention Version 2 - this improves our methods by making subclauses of SQL that get passed around be both easy and correct to use. The way that was achieved was by getting rid of the obscure and not well used functions sqlSafefFrag and sqlDyStringPrintfFrag and replacing them with the plain versions of those functions, since these are not needed anymore. The new version checks for NOSQLINJ in unquoted %-s which is used to include SQL clauses, and will give an error the NOSQLINJ clause is not present, and this will automatically require the correct behavior by developers. sqlDyStringPrint is a very useful function, however because it was not enforced, users could use various other dyString functions and they operated without any awareness or checking for SQL correct use. Now those dyString functions are prohibited and it will produce an error if you try to use a dyString function on a SQL string, which is simply detected by the presence of the NOSQLINJ prefix.

diff --git src/hg/hgSession/hgSession.c src/hg/hgSession/hgSession.c
index 0c81bc1..fbeecd1 100644
--- src/hg/hgSession/hgSession.c
+++ src/hg/hgSession/hgSession.c
@@ -800,31 +800,31 @@
 if (dy)
     dyStringPrintf(dy,"&%s=on", CART_HAS_DEFAULT_VISIBILITY);
 else
     printf("%s on", CART_HAS_DEFAULT_VISIBILITY);
 }
 
 #define INITIAL_USE_COUNT 0
 static int saveCartAsSession(struct sqlConnection *conn, char *encUserName, char *encSessionName,
                              int sharingLevel)
 /* Save all settings in cart, either adding a new session or overwriting an existing session.
  * Return useCount so that the caller can distinguish between adding and overWriting. */
 {
 struct sqlResult *sr = NULL;
 struct dyString *dy = dyStringNew(16 * 1024);
 char **row;
-char *firstUse = "now()";
+char *firstUse = NULL;
 int useCount = INITIAL_USE_COUNT;
 char firstUseBuf[32];
 char *settings = "";
 
 boolean gotSettings = (sqlFieldIndex(conn, namedSessionTable, "settings") >= 0);
 
 /* If this session already existed, preserve its firstUse, useCount,
  * and settings (if available). */
 if (gotSettings)
     sqlDyStringPrintf(dy, "SELECT firstUse, useCount, settings FROM %s "
                   "WHERE userName = '%s' AND sessionName = '%s';",
                   namedSessionTable, encUserName, encSessionName);
 else
     sqlDyStringPrintf(dy, "SELECT firstUse, useCount FROM %s "
                   "WHERE userName = '%s' AND sessionName = '%s';",
@@ -844,52 +844,56 @@
     }
 sqlFreeResult(&sr);
 
 saveSessionData(cart, encUserName, encSessionName,
                 cgiOptionalString(hgsSessionDataDbSuffix));
 
 /* Remove pre-existing session (if any) before updating. */
 dyStringClear(dy);
 sqlDyStringPrintf(dy, "DELETE FROM %s WHERE userName = '%s' AND "
                   "sessionName = '%s';",
                   namedSessionTable, encUserName, encSessionName);
 sqlUpdate(conn, dy->string);
 
 dyStringClear(dy);
 sqlDyStringPrintf(dy, "INSERT INTO %s ", namedSessionTable);
-dyStringAppend(dy, "(userName, sessionName, contents, shared, "
+sqlDyStringPrintf(dy, "(userName, sessionName, contents, shared, "
                "firstUse, lastUse, useCount");
 if (gotSettings)
-    dyStringAppend(dy, ", settings");
-dyStringAppend(dy, ") VALUES (");
-sqlDyStringPrintfFrag(dy, "'%s', '%s', ", encUserName, encSessionName);
-dyStringAppend(dy, "'");
+    sqlDyStringPrintf(dy, ", settings");
+sqlDyStringPrintf(dy, ") VALUES (");
+sqlDyStringPrintf(dy, "'%s', '%s', ", encUserName, encSessionName);
+sqlDyStringPrintf(dy, "'");
 cleanHgSessionFromCart(cart);
-struct dyString *encoded = newDyString(4096);
+struct dyString *encoded = dyStringNew(4096);
 cartEncodeState(cart, encoded);
 
 // Now add all the default visibilities to output.
 outDefaultTracks(cart, encoded);
 
 sqlDyAppendEscaped(dy, encoded->string);
 dyStringFree(&encoded);
-dyStringAppend(dy, "', ");
-dyStringPrintf(dy, "%d, ", sharingLevel);
-dyStringPrintf(dy, "%s, now(), %d", firstUse, useCount);
+sqlDyStringPrintf(dy, "', ");
+sqlDyStringPrintf(dy, "%d, ", sharingLevel);
+if (firstUse)
+    sqlDyStringPrintf(dy, "'%s', ", firstUse);
+else
+    sqlDyStringPrintf(dy, "now(), ");
+sqlDyStringPrintf(dy, "now(), %d", useCount);
 if (gotSettings)
-    sqlDyStringPrintfFrag(dy, ", '%s'", settings);
-dyStringPrintf(dy, ");");
+    sqlDyStringPrintf(dy, ", '%s'", settings);
+sqlDyStringPrintf(dy, ")");
 sqlUpdate(conn, dy->string);
 dyStringFree(&dy);
 
 /* Prevent modification of custom track collections just saved to namedSessionDb: */
 cartCopyCustomComposites(cart);
 return useCount;
 }
 
 char *doNewSession(char *userName)
 /* Save current settings in a new named session.
  * Return a message confirming what we did. */
 {
 if (userName == NULL)
     return "Unable to save session -- please log in and try again.";
 struct dyString *dyMessage = dyStringNew(2048);