44ccfacbe3a3d4b300f80d48651c77837a4b571e galt Tue Apr 26 11:12:02 2022 -0700 SQL INJECTION Prevention Version 2 - this improves our methods by making subclauses of SQL that get passed around be both easy and correct to use. The way that was achieved was by getting rid of the obscure and not well used functions sqlSafefFrag and sqlDyStringPrintfFrag and replacing them with the plain versions of those functions, since these are not needed anymore. The new version checks for NOSQLINJ in unquoted %-s which is used to include SQL clauses, and will give an error the NOSQLINJ clause is not present, and this will automatically require the correct behavior by developers. sqlDyStringPrint is a very useful function, however because it was not enforced, users could use various other dyString functions and they operated without any awareness or checking for SQL correct use. Now those dyString functions are prohibited and it will produce an error if you try to use a dyString function on a SQL string, which is simply detected by the presence of the NOSQLINJ prefix. diff --git src/hg/hgTracks/vcfTrack.c src/hg/hgTracks/vcfTrack.c index 5e1dc07..883d7e0 100644 --- src/hg/hgTracks/vcfTrack.c +++ src/hg/hgTracks/vcfTrack.c @@ -813,73 +813,80 @@ { struct txInfo *txi; AllocVar(txi); txi->psl = pslLoad(row+binOffset); slAddHead(&txiList, txi); hashAdd(txiHash, txi->psl->qName, txi); } sqlFreeResult(&sr); *retTxiHash = txiHash; return txiList; } static void txiInfoAppendIdList(struct dyString *query, struct txInfo *txiList) /* Append a paren-enclosed list of quoted transcript IDs to query. */ { -dyStringAppendC(query, '('); +sqlDyStringPrintf(query, "("); struct txInfo *txi; for (txi = txiList; txi != NULL; txi = txi->next) { if (txi != txiList) - dyStringAppend(query, ", "); - dyStringPrintf(query, "'%s'", txi->psl->qName); + sqlDyStringPrintf(query, ", "); + sqlDyStringPrintf(query, "'%s'", txi->psl->qName); } -dyStringAppendC(query, ')'); +sqlDyStringPrintf(query, ")"); } static void txInfoAddCdsFromQuery(struct hash *txiHash, struct sqlConnection *conn, char *query) /* Perform query; results have two fields, transcript name (which must be found in txiHash) and * GenBank-formatted CDS string. For reach row from the query, parse the CDS string into the cds * in the struct txInfo for the appropriate transcript. */ { struct sqlResult *sr = sqlGetResult(conn, query); char **row; while ((row = sqlNextRow(sr)) != NULL) { char *name = row[0]; char *cdsStr = row[1]; struct txInfo *txi = hashMustFindVal(txiHash, name); AllocVar(txi->cds); genbankCdsParse(cdsStr, txi->cds); } sqlFreeResult(&sr); } static struct txInfo *txInfoLoadNcbiRefSeq(struct seqWindow *gSeqWin, struct trackDb *gTdb) /* Load ncbiRefSeq[Curated] PSL (+ CDS and sequence) in current window and make txInfo for each. */ { struct txInfo *txiList = NULL; if (!trackHubDatabase(database) && hDbHasNcbiRefSeq(database)) { struct sqlConnection *conn = hAllocConn(database); struct hash *txiHash = hashNew(0); - char *extraWhere = NULL; + char extraWhere[1024]; + char *extra = NULL; if (sameString(gTdb->track, "ncbiRefSeqCurated")) - extraWhere = "qName not like 'X%'"; + { + sqlSafef(extraWhere, sizeof extraWhere, "qName not like 'X%%'"); + extra = extraWhere; + } else if (sameString(gTdb->track, "ncbiRefSeqPredicted")) - extraWhere = "qName like 'X%'"; - txiList = txInfoInitFromPsl(conn, "ncbiRefSeqPsl", extraWhere, &txiHash); + { + sqlSafef(extraWhere, sizeof extraWhere, "qName like 'X%%'"); + extra = extraWhere; + } + txiList = txInfoInitFromPsl(conn, "ncbiRefSeqPsl", extra, &txiHash); if (txiList) { // Now get CDS for each psl/txi: struct dyString *query = sqlDyStringCreate("select * from ncbiRefSeqCds where id in "); txiInfoAppendIdList(query, txiList); txInfoAddCdsFromQuery(txiHash, conn, query->string); // Now get transcript sequence for each psl/txi: struct hash *extNcbi = hashExtNcbiRefSeq(conn); dyStringClear(query); sqlDyStringPrintf(query, "select acc,extFile,file_offset,file_size from seqNcbiRefSeq " "where acc in "); txiInfoAppendIdList(query, txiList); struct sqlResult *sr = sqlGetResult(conn, query->string); char **row; while ((row = sqlNextRow(sr)) != NULL)