44ccfacbe3a3d4b300f80d48651c77837a4b571e galt Tue Apr 26 11:12:02 2022 -0700 SQL INJECTION Prevention Version 2 - this improves our methods by making subclauses of SQL that get passed around be both easy and correct to use. The way that was achieved was by getting rid of the obscure and not well used functions sqlSafefFrag and sqlDyStringPrintfFrag and replacing them with the plain versions of those functions, since these are not needed anymore. The new version checks for NOSQLINJ in unquoted %-s which is used to include SQL clauses, and will give an error the NOSQLINJ clause is not present, and this will automatically require the correct behavior by developers. sqlDyStringPrint is a very useful function, however because it was not enforced, users could use various other dyString functions and they operated without any awareness or checking for SQL correct use. Now those dyString functions are prohibited and it will produce an error if you try to use a dyString function on a SQL string, which is simply detected by the presence of the NOSQLINJ prefix. diff --git src/hg/qaPushQ/qaPushQ.c src/hg/qaPushQ/qaPushQ.c index 7163619..b28ed1e 100644 --- src/hg/qaPushQ/qaPushQ.c +++ src/hg/qaPushQ/qaPushQ.c @@ -478,46 +478,46 @@ {p = "";} replaceInStr(html, sizeof(html), tempTag, p); i++; } } void initColsFromString() { int i = 0, e=0; char colName[256]; char sep[2]=""; struct dyString * s = NULL; -s = newDyString(2048); /* need room */ +s = dyStringNew(2048); /* need room */ numColumns=0; while(parseList(showColumns,',',i,colName,sizeof(colName))) { e = mapFieldToEnum(colName,FALSE); if (e >= 0) /* tolerate old nonexistent colnames in pseudocart more gracefully */ { colOrder[i] = e; dyStringPrintf(s, "%s%s", sep, colName); safef(sep,sizeof(sep),","); numColumns++; } i++; } showColumns = cloneString(s->string); -freeDyString(&s); +dyStringFree(&s); } /* -------------------- Push Queue ----------------------- */ void showSizesJavascript() /* set showSizes for cross-posting to support file sizes */ { char sizesButton[1024]; safef(sizesButton, sizeof(sizesButton), " <input TYPE=SUBMIT NAME=\"showSizes\" VALUE=\"Show Sizes\"" " ONCLICK=\"if (document.forms[0].currLoc.value!='%s') {" " document.forms[0]._action.value='xpost';" @@ -1360,57 +1360,57 @@ doDisplay(); } /* too bad this isn't part of autoSql's code generation */ void pushQUpdate(struct sqlConnection *conn, struct pushQ *el, char *tableName, int updateSize) /* Update pushQ row to the table specified by tableName. * As blob fields may be arbitrary size updateSize specifies the approx size. * of a string that would contain the entire query. Automatically * escapes all simple strings (not arrays of string) but may be slower than pushQSaveToDb(). * For example automatically copies and converts: * "autosql's features include" --> "autosql\'s features include" * before inserting into database. */ { -struct dyString *update = newDyString(updateSize); +struct dyString *update = dyStringNew(updateSize); /* had to split this up because dyStringPrintf only up to 4000 chars at one time */ sqlDyStringPrintf(update, "update %s set " "pqid='%s',priority='%s',rank=%u,qadate='%s',newYN='%s',track='%s',", tableName, el->pqid, el->priority, el->rank, el->qadate, el->newYN, el->track); sqlDyStringPrintf(update, "dbs='%s',",el->dbs); sqlDyStringPrintf(update, "tbls='%s',",el->tbls); sqlDyStringPrintf(update, "cgis='%s',",el->cgis); sqlDyStringPrintf(update, "files='%s',",el->files); sqlDyStringPrintf(update, "sizeMB=%u,currLoc='%s'," "makeDocYN='%s',onlineHelp='%s',ndxYN='%s',joinerYN='%s',stat='%s'," "sponsor='%s',reviewer='%s',extSource='%s',", el->sizeMB , el->currLoc, el->makeDocYN, el->onlineHelp, el->ndxYN, el->joinerYN, el->stat, el->sponsor, el->reviewer, el->extSource); sqlDyStringPrintf(update, "openIssues='%s',",el->openIssues); sqlDyStringPrintf(update, "notes='%s',",el->notes); sqlDyStringPrintf(update, "pushState='%s', initdate='%s', lastdate='%s', bounces='%u',lockUser='%s'," "lockDateTime='%s',releaseLog='%s',featureBits='%s',releaseLogUrl='%s'," "importance='%s' where qid='%s'", el->pushState, el->initdate, el->lastdate, el->bounces, el->lockUser, el->lockDateTime, el->releaseLog, el->featureBits, el->releaseLogUrl, el->importance, el->qid ); sqlUpdate(conn, update->string); -freeDyString(&update); +dyStringFree(&update); } void getCgiData(bool *isOK, bool isPtr, void *ptr, int size, char *name) /* get data, truncate to fit in field to prevent safef buf overflows */ { int l = 0; char **pfld = NULL; char *fld = NULL; char *cgi = NULL; cgi = cgiString(name); l = strlen(cgi); if (isPtr) { pfld = (char **) ptr; } @@ -2121,58 +2121,58 @@ else { htmShell(TITLE, doLogin, NULL); } sqlDisconnect(&conn); } void saveMyUser() /* read data for my user */ { char *tbl = "users"; struct dyString * query = NULL; -query = newDyString(2048); +query = dyStringNew(2048); if ((qaUser == NULL) || (sameString(qaUser,""))) { return; } sqlDyStringPrintf(query, "update %s set contents = '?showColumns=%s?org=%s?month=%s?oldRandState=%s' where user = '%s'", tbl, showColumns, pushQtbl, month, oldRandState, myUser.user); sqlUpdate(conn, query->string); -freeDyString(&query); +dyStringFree(&query); } void XdoPromoteColumn(int change) /* Promote the column * 1 = promote, 0 = hide, -1 = demote */ { char target[256] = ""; int i = 0; char tempBefore[256] = ""; char tempVal [256] = ""; char tempAfter [256] = ""; char tempSwap [256] = ""; struct dyString * s = NULL; -s = newDyString(2048); /* need room */ +s = dyStringNew(2048); /* need room */ safef(target, sizeof(target), "%s", cgiString("col")); while(TRUE) { parseList(showColumns,',',i,tempAfter,sizeof(tempAfter)); if ((tempBefore[0]==0) && (tempVal[0]==0) && (tempAfter[0]==0)) { break; } if (sameString(target,tempVal)) { if (change==1) { @@ -2196,31 +2196,31 @@ change = 99; /* just suppress any more changes */ } if (!sameString(tempBefore,"")) { dyStringPrintf(s, "%s,", tempBefore); } /* roll 'em! */ safef(tempBefore, sizeof(tempBefore), "%s", tempVal ); safef(tempVal , sizeof(tempVal) , "%s", tempAfter); i++; } showColumns = cloneString(s->string); -freeDyString(&s); +dyStringFree(&s); showColumns[strlen(showColumns)-1]=0; /* chop off trailing comma */ doDisplay(); } void doPromoteColumn() { XdoPromoteColumn(1); } void doHideColumn() { @@ -2262,46 +2262,46 @@ } printf("<br>\n"); printf("<a href=\"qaPushQ?cb=%s\">RETURN</a><br>", newRandState); } void doShowColumn() /* Make column visible again */ { struct dyString * s = NULL; char *colName = NULL; char templist[512]; char tempe[64]; -s = newDyString(2048); /* need room */ +s = dyStringNew(2048); /* need room */ colName = cgiString("colName"); mapFieldToEnum(colName,TRUE); /* this will make sure it exists or errAbort */ safef(templist,sizeof(templist),",%s,",showColumns); /* add sentinel comma values to the ends of the col list */ safef(tempe,sizeof(tempe),",%s,",colName); /* add sentinel comma values to the ends of the col element */ if (strstr(templist,tempe)==NULL) /* make sure not already in list */ { dyStringAppend(s, showColumns); dyStringPrintf(s, ",%s", colName); showColumns = cloneString(s->string); } -freeDyString(&s); +dyStringFree(&s); doDisplay(); } void doShowDefaultColumns() /* Show Default Columns in default order */ { showColumns = cloneString(defaultColumns); doDisplay(); } void doShowMonths() @@ -3297,34 +3297,36 @@ char *cuser = NULL; char *cpassword = NULL; struct sqlConnection *betaconn = NULL; struct dbDb *ki=NULL, *kiList=NULL, *dbDbTemp=NULL; struct sqlResult *sr; char **row; char query[1024]; char tempName[256]; char now[256]; int m=0,d=0; int topCount=0; -char *encodeClause = ""; +char encodeClause[1024]; + +sqlSafef(encodeClause, sizeof encodeClause, "%s", ""); if (isEncode) - encodeClause = " and releaseLog like '%ENCODE%'"; + sqlSafef(encodeClause, sizeof encodeClause, " and releaseLog like '%%ENCODE%%'"); ZeroVar(&dbDbTemp); chost = cfgOption("rrcentral.host" ); cuser = cfgOption("rrcentral.user" ); cpassword = cfgOption("rrcentral.password"); centraldb = cfgOption("rrcentral.db"); webStart(NULL, NULL, "Track and Table Releases"); // only allowed one connection at a time? sqlDisconnect(&conn); @@ -3414,31 +3416,31 @@ ); sqlSafef(query,sizeof(query), "select releaseLog, dbs, qadate, releaseLogUrl from pushQ " "where priority='L' and releaseLog != '' and dbs != '' %-s" "order by qadate desc, qid desc ", encodeClause ); sr = sqlGetResult(conn, query); while ((row = sqlNextRow(sr)) != NULL) { sscanf(cloneStringZ(&row[2][5],2),"%d",&m); sscanf(cloneStringZ(&row[2][8],2),"%d",&d); { /* parse dblist and make sure it's kosher and active=1 good */ char* dbs = cloneString(row[1]); char dbsComma[1024]; char dbsSpace[1024]; - struct dyString* dbList = newDyString(1024); + struct dyString* dbList = dyStringNew(1024); int j = 0, jj = 0; char* sep = ""; boolean found = FALSE; cutParens(dbs); whiteSpace(dbs); for(j=0;parseList(dbs, ',' ,j,dbsComma,sizeof(dbsComma));j++) { if (dbsComma[0]==0) { continue; } for(jj=0;parseList(dbsComma, ' ' ,jj,dbsSpace,sizeof(dbsSpace));jj++) { if (dbsSpace[0]==0) { continue; } for (ki = kiList; ki != NULL; ki = ki->next) { @@ -3460,31 +3462,31 @@ { printf("%s", row[0]); } else { printf("<a href=\"%s\" target=_blank>%s</a>", row[3], row[0]); } printf("</td>\n"); printf("<td>%s</td>\n" "<td>%02d %s %s</td>\n" "</tr>\n", row[1], d, numberToMonth[m-1], cloneStringZ(row[2],4) ); } freez(&dbs); - freeDyString(&dbList); + dyStringFree(&dbList); if (topCount>=10) break; } } sqlFreeResult(&sr); printf("</table>\n"); /* REGULAR LOG */ for (ki = kiList; ki != NULL; ki = ki->next) { safef(tempName, sizeof(tempName), "%s", ki->organism); if (!sameString(ki->organism, ki->genome))