44ccfacbe3a3d4b300f80d48651c77837a4b571e galt Tue Apr 26 11:12:02 2022 -0700 SQL INJECTION Prevention Version 2 - this improves our methods by making subclauses of SQL that get passed around be both easy and correct to use. The way that was achieved was by getting rid of the obscure and not well used functions sqlSafefFrag and sqlDyStringPrintfFrag and replacing them with the plain versions of those functions, since these are not needed anymore. The new version checks for NOSQLINJ in unquoted %-s which is used to include SQL clauses, and will give an error the NOSQLINJ clause is not present, and this will automatically require the correct behavior by developers. sqlDyStringPrint is a very useful function, however because it was not enforced, users could use various other dyString functions and they operated without any awareness or checking for SQL correct use. Now those dyString functions are prohibited and it will produce an error if you try to use a dyString function on a SQL string, which is simply detected by the presence of the NOSQLINJ prefix. diff --git src/hg/lib/cart.c src/hg/lib/cart.c index bb121b0..ee29bcd 100644 --- src/hg/lib/cart.c +++ src/hg/lib/cart.c @@ -53,31 +53,31 @@ else { freeMem(hel->val); hel->val = val; } } static struct dyString *hubWarnDy; void cartHubWarn(char *format, va_list args) /* save up hub related warnings to put out later */ { char warning[1024]; vsnprintf(warning,sizeof(warning),format, args); if (hubWarnDy == NULL) - hubWarnDy = newDyString(100); + hubWarnDy = dyStringNew(100); dyStringPrintf(hubWarnDy, "%s\n", warning); } static void sanitizeString(char *str) // Remove % so we can disable format-security { for(; *str; str++) if (*str == '%') *str = ' '; } void cartFlushHubWarnings() /* flush the hub warning (if any) */ { if (hubWarnDy) @@ -221,36 +221,36 @@ } } struct cartDb *cartDbLoadFromId(struct sqlConnection *conn, char *table, char *secureId) /* Load up cartDb entry for particular ID. Returns NULL if no such id. */ { if (!secureId) return NULL; else { struct cartDb *cdb = NULL; struct dyString *where = dyStringNew(256); char *sessionKey = NULL; unsigned int id = cartDbParseId(secureId, &sessionKey); - sqlDyStringPrintfFrag(where, "id = %u", id); + sqlDyStringPrintf(where, "id = %u", id); if (cartDbUseSessionKey()) { if (!sessionKey) sessionKey = ""; - sqlDyStringPrintfFrag(where, " and sessionKey='%s'", sessionKey); + sqlDyStringPrintf(where, " and sessionKey='%s'", sessionKey); } cdb = cartDbLoadWhere(conn, table, where->string); dyStringFree(&where); if (looksCorrupted(cdb)) { /* Can't use warn here -- it interrupts the HTML header, causing an * err500 (and nothing useful in error_log) instead of a warning. */ fprintf(stderr, "%s id=%u looks corrupted -- starting over with new %s id.\n", table, id, table); cdb = NULL; } return cdb; } } @@ -1433,31 +1433,31 @@ } cartDefaultDisconnector(&conn); if (didSessionLoad) cartHideDefaultTracks(cart); return cart; } static void updateOne(struct sqlConnection *conn, char *table, struct cartDb *cdb, char *contents, int contentSize) /* Update cdb in database. */ { -struct dyString *dy = newDyString(4096); +struct dyString *dy = dyStringNew(4096); sqlDyStringPrintf(dy, "UPDATE %s SET contents='", table); sqlDyAppendEscaped(dy, contents); sqlDyStringPrintf(dy, "',lastUse=now(),useCount=%d ", cdb->useCount+1); sqlDyStringPrintf(dy, " where id=%u", cdb->id); if (cartDbUseSessionKey()) sqlDyStringPrintf(dy, " and sessionKey='%s'", cdb->sessionKey); sqlUpdate(conn, dy->string); dyStringFree(&dy); } void cartEncodeState(struct cart *cart, struct dyString *dy) /* Add a CGI-encoded var=val&... string of all cart variables to dy. */ { struct hashEl *el, *elList = hashElListHash(cart->hash); @@ -1473,31 +1473,31 @@ dyStringAppendC(dy, '&'); dyStringAppend(dy, el->name); dyStringAppendC(dy, '='); s = cgiEncode(el->val); dyStringAppend(dy, s); freez(&s); } } hashElFreeList(&elList); } static void saveState(struct cart *cart) /* Save out state to permanent storage in both user and session db. */ { struct sqlConnection *conn = cartDefaultConnector(); -struct dyString *encoded = newDyString(4096); +struct dyString *encoded = dyStringNew(4096); /* Make up encoded string holding all variables. */ cartEncodeState(cart, encoded); /* update sessionDb and userDb tables (removed check for cart stuffing bots) */ updateOne(conn, userDbTable(), cart->userInfo, encoded->string, encoded->stringSize); updateOne(conn, sessionDbTable(), cart->sessionInfo, encoded->string, encoded->stringSize); /* Cleanup */ cartDefaultDisconnector(&conn); dyStringFree(&encoded); } void cartCheckout(struct cart **pCart) /* Free up cart and save it to database. */ @@ -2286,30 +2286,39 @@ if (httpProxy) setenv("http_proxy", httpProxy, TRUE); char *httpsProxy = cfgOption("httpsProxy"); if (httpsProxy) setenv("https_proxy", httpsProxy, TRUE); char *ftpProxy = cfgOption("ftpProxy"); if (ftpProxy) setenv("ftp_proxy", ftpProxy, TRUE); char *noProxy = cfgOption("noProxy"); if (noProxy) setenv("no_proxy", noProxy, TRUE); char *logProxy = cfgOption("logProxy"); if (logProxy) setenv("log_proxy", logProxy, TRUE); +/* noSqlInj settings so they are accessible in src/lib too */ +char *noSqlInj_level = cfgOption("noSqlInj.level"); +if (noSqlInj_level) + setenv("noSqlInj_level", noSqlInj_level, TRUE); +char *noSqlInj_dumpStack = cfgOption("noSqlInj.dumpStack"); +if (noSqlInj_dumpStack) + setenv("noSqlInj_dumpStack", noSqlInj_dumpStack, TRUE); + + // if ignoreCookie is on the URL, don't check for cookies char *hguid = NULL; if ( cgiOptionalString("ignoreCookie") == NULL ) hguid = getCookieId(cookieName); char *hgsid = getSessionId(); struct cart *cart = cartNew(hguid, hgsid, exclude, oldVars); cartExclude(cart, sessionVar); return cart; } static void addHttpHeaders() /* CGIs can initialize the global variable httpHeaders to control their own HTTP * headers. This allows, for example, to prevent web browser caching of hgTracks * responses, but implicitly allow web browser caching everywhere else */ { @@ -3551,31 +3560,31 @@ cartSetString(lastDbPosCart, "nonVirtPosition", position); cartSetString(lastDbPosCart, "lastVirtModeExtra", ""); } if (pLastDbPosCart) *pLastDbPosCart = lastDbPosCart; return position; } void cartSetDbPosition(struct cart *cart, char *database, struct cart *lastDbPosCart) /* Set the 'position.db' variable in the cart.*/ { char dbPosKey[256]; safef(dbPosKey, sizeof dbPosKey, "position.%s", database); -struct dyString *dbPosValue = newDyString(4096); +struct dyString *dbPosValue = dyStringNew(4096); cartEncodeState(lastDbPosCart, dbPosValue); cartSetString(cart, dbPosKey, dbPosValue->string); } void cartTdbFetchMinMaxPixels(struct cart *theCart, struct trackDb *tdb, int defaultMin, int defaultMax, int defaultVal, int *retMin, int *retMax, int *retDefault, int *retCurrent) /* Configure maximum track height for variable height tracks (e.g. wiggle, barchart) * Initial height and limits may be defined in trackDb with the maxHeightPixels string, * Or user requested limits are defined in the cart. */ { boolean parentLevel = isNameAtParentLevel(tdb, tdb->track); char *heightPer = NULL; /* string from cart */ int minHeightPixels = defaultMin; int maxHeightPixels = defaultMax;