src/hg/hgc/pubs.c 44ccfacbe3a3d4b300f80d48651c77837a4b571e

44ccfacbe3a3d4b300f80d48651c77837a4b571e
galt
  Tue Apr 26 11:12:02 2022 -0700
SQL INJECTION Prevention Version 2 - this improves our methods by making subclauses of SQL that get passed around be both easy and correct to use. The way that was achieved was by getting rid of the obscure and not well used functions sqlSafefFrag and sqlDyStringPrintfFrag and replacing them with the plain versions of those functions, since these are not needed anymore. The new version checks for NOSQLINJ in unquoted %-s which is used to include SQL clauses, and will give an error the NOSQLINJ clause is not present, and this will automatically require the correct behavior by developers. sqlDyStringPrint is a very useful function, however because it was not enforced, users could use various other dyString functions and they operated without any awareness or checking for SQL correct use. Now those dyString functions are prohibited and it will produce an error if you try to use a dyString function on a SQL string, which is simply detected by the presence of the NOSQLINJ prefix.

diff --git src/hg/hgc/pubs.c src/hg/hgc/pubs.c
index f8fb650..a8668d6 100644
--- src/hg/hgc/pubs.c
+++ src/hg/hgc/pubs.c
@@ -259,67 +259,68 @@
         printf("Show these sequence matches individually on genome browser</A> (activates track \""
             "Individual matches for article\")</P>");
         }
 
     printPositionAndSize(start, end, 1);
     printf(
         "      </div> <!-- class: subsection --> \n");
     hFreeConn(&conn);
     
 }
 
 static char *makeSqlMarkerList(void)
 /* return list of sections from cgi vars, format like "'abstract','header'" */
 {
 int secCount = sizeof(pubsSecNames)/sizeof(char *);
-struct slName *names = NULL;
+struct dyString *dy = dyStringNew(1024);
 int i;
+int found = 0;
 for (i=0; i<secCount; i++) 
     {
     // add ' around name and add to list
     char *secName = pubsSecNames[i];
     if (cgiOptionalInt(secName, pubsSecChecked[i]))
 	{
-        char nameBuf[100];
-        safef(nameBuf, sizeof(nameBuf), "'%s'", secName);
-        slAddHead(&names, slNameNew(nameBuf));
+	if (i != 0)
+	    sqlDyStringPrintf(dy, ",");
+        sqlDyStringPrintf(dy, "'%s'", secName);
+	++found;
 	}
     }
 
-if (names==0)
+if (found==0)
     errAbort("You need to specify at least one article section.");
 
-char *nameListString = slNameListToString(names, ',');
-slNameFree(names);
-return nameListString;
+return dyStringCannibalize(&dy);
 }
 
 
 static struct sqlResult *queryMarkerRows(struct sqlConnection *conn, char *markerTable, \
     char *articleTable, char *item, int itemLimit, char *sectionList, char *artExtIdFilter)
 /* query marker rows from mysql, based on http parameters  
  * optionally filter on sections or just a single article
  * */
 {
 char query[4000];
 /* Mysql specific setting to make the group_concat function return longer strings */
-//sqlUpdate(conn, NOSQLINJ "SET SESSION group_concat_max_len = 100000");
+//sqlSafef(query, sizeof query, "SET SESSION group_concat_max_len = 100000");
+//sqlUpdate(conn, query);
  
 char artFilterSql[4000];
 artFilterSql[0] = 0;
 if (isNotEmpty(artExtIdFilter))
-    safef(artFilterSql, sizeof(artFilterSql), " AND extId='%s' ", artExtIdFilter);
+    sqlSafef(artFilterSql, sizeof(artFilterSql), " AND extId='%s' ", artExtIdFilter);
 
 // no need to check for illegal characters in sectionList
 sqlSafef(query, sizeof(query), "SELECT distinct %s.articleId, url, title, authors, citation, year, "  
     "pmid FROM %s "
     //"group_concat(snippet, concat(\" (section: \", section, \")\") SEPARATOR ' (...) ') FROM %s "
     "JOIN %s USING (articleId) "
     "WHERE markerId='%s' AND section in (%-s) "
     "%-s"
     //"GROUP by articleId "
     "ORDER BY year DESC "
     "LIMIT %d",
     markerTable, markerTable, articleTable, item, sectionList, artFilterSql, itemLimit);
 
     printDebug(query);