44ccfacbe3a3d4b300f80d48651c77837a4b571e galt Tue Apr 26 11:12:02 2022 -0700 SQL INJECTION Prevention Version 2 - this improves our methods by making subclauses of SQL that get passed around be both easy and correct to use. The way that was achieved was by getting rid of the obscure and not well used functions sqlSafefFrag and sqlDyStringPrintfFrag and replacing them with the plain versions of those functions, since these are not needed anymore. The new version checks for NOSQLINJ in unquoted %-s which is used to include SQL clauses, and will give an error the NOSQLINJ clause is not present, and this will automatically require the correct behavior by developers. sqlDyStringPrint is a very useful function, however because it was not enforced, users could use various other dyString functions and they operated without any awareness or checking for SQL correct use. Now those dyString functions are prohibited and it will produce an error if you try to use a dyString function on a SQL string, which is simply detected by the presence of the NOSQLINJ prefix. diff --git src/hg/near/hgNear/association.c src/hg/near/hgNear/association.c index 54c1b2d..aebab90 100644 --- src/hg/near/hgNear/association.c +++ src/hg/near/hgNear/association.c @@ -139,31 +139,31 @@ } } static struct genePos *wildAssociationFilter( struct slName *wildList, boolean orLogic, struct column *col, struct sqlConnection *conn, struct genePos *list) /* Handle relatively slow filtering when there is a wildcard present. */ { struct assocGroup *ag = assocGroupNew(16); struct genePos *gp; struct hash *passHash = newHash(16); /* Hash of items passing filter. */ int assocCount = 0; struct sqlResult *sr; char **row; char query[1024]; -sqlSafef(query, sizeof query, "%-s", col->queryFull); // purely for side-effect of adding NOSQLINJ prefix +sqlSafef(query, sizeof query, col->queryFull, NULL); // trust /* Build up associations. */ sr = sqlGetResult(conn, query); while ((row = sqlNextRow(sr)) != NULL) { ++assocCount; assocGroupAdd(ag, row[0],row[1]); } sqlFreeResult(&sr); /* Look for matching associations and put them on newList. */ for (gp = list; gp != NULL; gp = gp->next) { char *key = (col->protKey ? (kgVersion == KG_III ? lookupProtein(conn, gp->name) : gp->protein) @@ -259,31 +259,31 @@ else list = tameAssociationFilter(termList, orLogic, col, conn, list); } return list; } char *associationCellVal(struct column *col, struct genePos *gp, struct sqlConnection *conn) /* Make comma separated list of matches to association table. */ { char query[1024]; struct sqlResult *sr; char **row; boolean gotOne = FALSE; -struct dyString *dy = newDyString(512); +struct dyString *dy = dyStringNew(512); char *result = NULL; char *key = (col->protKey ? (kgVersion == KG_III ? lookupProtein(conn, gp->name) : gp->protein) : gp->name); struct hash *uniqHash = NULL; if (col->weedDupes) uniqHash = newHash(8); sqlSafef(query, sizeof(query), col->queryOne, key); sr = sqlGetResult(conn, query); while ((row = sqlNextRow(sr)) != NULL) { char *s = row[0]; boolean needQuote; if (uniqHash != NULL) { @@ -482,31 +482,31 @@ /* Build up hash full of all go IDs associated with gene. */ if (geneId != NULL) { sqlSafef(query, sizeof(query), ord->queryOne, geneId); sr = sqlGetResult(conn, query); while ((row = sqlNextRow(sr)) != NULL) { hashAdd(curTerms, row[0], NULL); } sqlFreeResult(&sr); } /* Stream through association table counting matches. */ -sqlSafef(query, sizeof(query), "%-s", ord->queryAll); // purely for side-effect of adding NOSQLINJ prefix +sqlSafef(query, sizeof(query), ord->queryAll, NULL); // trust sr = sqlGetResult(conn, query); while ((row = sqlNextRow(sr)) != NULL) { if (hashLookup(curTerms, row[1])) { struct hashEl *hel = hashLookup(lookupHash, row[0]); while (hel != NULL) { gp = hel->val; gp->count += 1; hel = hashLookupNext(hel); } } } sqlFreeResult(&sr);