src/hg/lib/tests/sqlCheck.c 44ccfacbe3a3d4b300f80d48651c77837a4b571e

44ccfacbe3a3d4b300f80d48651c77837a4b571e
galt
  Tue Apr 26 11:12:02 2022 -0700
SQL INJECTION Prevention Version 2 - this improves our methods by making subclauses of SQL that get passed around be both easy and correct to use. The way that was achieved was by getting rid of the obscure and not well used functions sqlSafefFrag and sqlDyStringPrintfFrag and replacing them with the plain versions of those functions, since these are not needed anymore. The new version checks for NOSQLINJ in unquoted %-s which is used to include SQL clauses, and will give an error the NOSQLINJ clause is not present, and this will automatically require the correct behavior by developers. sqlDyStringPrint is a very useful function, however because it was not enforced, users could use various other dyString functions and they operated without any awareness or checking for SQL correct use. Now those dyString functions are prohibited and it will produce an error if you try to use a dyString function on a SQL string, which is simply detected by the presence of the NOSQLINJ prefix.

diff --git src/hg/lib/tests/sqlCheck.c src/hg/lib/tests/sqlCheck.c
index 16b72ca..a18bebf 100644
--- src/hg/lib/tests/sqlCheck.c
+++ src/hg/lib/tests/sqlCheck.c
@@ -1,89 +1,98 @@
 /* Test sqlCheck anti-sql-injection functions in jksql.c */
 
 /* Copyright (C) 2013 The Regents of the University of California 
  * See kent/LICENSE or http://genome.ucsc.edu/license/ for licensing information. */
 
 #include "common.h"
+//something odd about the directory includes for compiling require adding the mysql subdir to the path for mysql.h
+#include <mysql/mysql.h>   
+#include "options.h"
+#include "dystring.h"
 #include "jksql.h"
 
 void usage()
 /* display usage message */
 {
 printf(
  "sqlCheck - test anti-sql-injection functions\n"
  "\n"
  "Usage:\n"
  " sqlCheck type value\n"
  "\n"
  "where type can be \n"
  "  ID for Identifier -- these should be alphanumeric, underscore, and period but not allow spaces, quotes, etc\n"
  "  IL for Identifier List -- these should be identifiers comma-separated list. Currently '.' is allowed as a special exception.\n"
  "  ES for Escape the string using mysql -- this should allow all and escape all characters except 0 (which is useful for binary but not strings)\n"
  "  EE for Escape Every evil character -- this should append escaped all forbidden characters except 0 (which is useful for binary but not strings)\n"
  "\n"
  );
 exit(1);
 }
 
 int main(int argc, char *argv[])
 {
 if (argc != 3)
     usage();
 
+// since we have not gotten a db connection yet,
+// apparently we have to call this to avoid a segfault.
+mysql_library_init(0, 0, 0);
+
 char *theType = argv[1];
 char *value   = argv[2];
 
 if (sameString(theType,"ID"))
     {
     printf("SELECT * FROM %s;\n", sqlCheckIdentifier(value));  // typically a table name or field name etc, is not quoted or escaped.
     }
 else if (sameString(theType,"IL"))
     {
-    printf("SELECT %s FROM table;\n", sqlCheckIdentifiersList(value));  // typically a comma-separated list of table or field names.
+    sqlCkIl(valueSafe, value)
+    printf("%s\n", valueSafe);  // typically a comma-separated list of table or field names.
     }
 else if (sameString(theType,"ES"))
     {
     struct dyString *dy = dyStringNew(0);
     sqlDyStringPrintf(dy, "INSERT INTO TABLE VALUES ('");
     sqlDyAppendEscaped(dy, value);  // typically used when there are unusual characters that need escaping.
-    dyStringAppend(dy, "');");
+    sqlDyStringPrintf(dy, "');");
     printf("%s\n", dy->string);
     }
 else if (sameString(theType,"EE"))
     {
     struct dyString *dy = dyStringNew(0);
     sqlDyStringPrintf(dy, "INSERT INTO TABLE VALUES ('");
     sqlDyAppendEscaped(dy, value);  // typically used when there are unusual characters that need escaping.
     sqlDyAppendEscaped(dy, "\x1a\n\r\\\'\"");  // typically used when there are unusual characters that need escaping.
-    dyStringAppend(dy, "');");
+    sqlDyStringPrintf(dy, "');");
     printf("%s\n", dy->string);
     }
 else if (sameString(theType,"XX")) // test sqlSafef
     {
-    char query[1024];
+    char query[1024];   // quoted %-s is not allowed anymore since it was poorly defined and useless.
     //sqlSafef(query, sizeof query, "SELECT * FROM %s where field = '%s'", value, "value");
     sqlSafef(query, sizeof query, "SELECT * FROM %s where field = '%s'", "table", value);
     //sqlSafef(query, sizeof query, "SELECT * FROM %s where id=%d and field like '%%%s'", "table", 3, value);
     //sqlSafef(query, sizeof query, "SELECT * FROM %s where id=%d and field like '%%%s' and ptr=%p", "table", 3, value, value);
     //sqlSafef(query, sizeof query, "SELECT * FROM %s where field = '%-s'", "table", value);
     //sqlSafef(query, sizeof query, "SELECT %-s FROM TABLE where field = '%s'", sqlCkIl(value), "value");
     printf("query=%s\n", query);
     }
 else if (sameString(theType,"XY")) // test sqlDyStringPrintf
     {
-    struct dyString *dy = dyStringNew(200);
+    struct dyString *dy = dyStringNew(200);  // no quoted %-s anymore, deemed useless and forbidden.
     //sqlDyStringPrintf(dy, "SELECT * FROM %s where field = '%s'", value, "value");
     sqlDyStringPrintf(dy, "SELECT * FROM %s where field = '%s'", "table", value);
     //sqlDyStringPrintf(dy, " AND field2 = '%s'", value);  // make sure appending works without duplicating the NOSQLINJ prefix
     //sqlDyStringPrintf(dy, "SELECT * FROM %s where id=%d and field like '%%%s'", "table", 3, value);
     //sqlDyStringPrintf(dy, "SELECT * FROM %s where id=%d and field like '%%%s' and ptr=%p", "table", 3, value, value);
     //sqlDyStringPrintf(dy, "SELECT * FROM %s where field = '%-s'", "table", value);
     printf("dy=%s\n", dy->string);
     }
 else
     {
     usage();
     }
 
 return 0;
 }