[Projekt: Entwicklung - Neon][TicketNr.: 2028408][SqlInjection in...

[Projekt: Entwicklung - Neon][TicketNr.: 2028408][SqlInjection in Sql_lib/SqlBuilder_lib durch preparedArray bei pValue möglich]

[Projekt: Entwicklung - Neon][TicketNr.: 2028408][SqlInjection in...
[Projekt: Entwicklung - Neon][TicketNr.: 2028408][SqlInjection in Sql_lib/SqlBuilder_lib durch preparedArray bei pValue möglich]
1ef89aaa · Martin Groppe · Administrator · d646ca91 · 1ef89aaa · 1ef89aaa
Commit 1ef89aaa authored 1 year ago by Martin Groppe Committed by Administrator 1 year ago
--- a/entity/SlaveAdministration_entity/recordcontainers/db/orderClauseProcess.js
+++ b/entity/SlaveAdministration_entity/recordcontainers/db/orderClauseProcess.js
 import { db, result } from "@aditosoftware/jdito-types";

-result.object({"ASYS_SYNCSLAVES.LASTSYNC": db.ASCENDING});
\ No newline at end of file
+result.object({ "ASYS_SYNCSLAVES.LASTSYNC": db.ASCENDING });
\ No newline at end of file
--- a/process/PreparedSqlStatement_lib/PreparedSqlStatement_lib.aod
+++ b/process/PreparedSqlStatement_lib/PreparedSqlStatement_lib.aod
+<?xml version="1.0" encoding="UTF-8"?>
+<process xmlns="http://www.adito.de/2018/ao/Model" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" VERSION="1.3.0" xsi:schemaLocation="http://www.adito.de/2018/ao/Model adito://models/xsd/process/1.3.0">
+  <name>PreparedSqlStatement_lib</name>
+  <majorModelMode>DISTRIBUTED</majorModelMode>
+  <process>%aditoprj%/process/PreparedSqlStatement_lib/process.js</process>
+  <variants>
+    <element>LIBRARY</element>
+  </variants>
+</process>
--- a/process/PreparedSqlStatement_lib/process.js
+++ b/process/PreparedSqlStatement_lib/process.js
+
+/**
+ * Object containing a prepared sql statement
+ * 
+ * @param {string} [pSqlString] - The sql statement that contains already the placeholders for values: `?`. 
+ *
+ *                                **Never** include values from external sources such as user input, web services, entity-parameters, etc. 
+ *                                directly as pSqlString. Doing so will expose the system to SQL injection attacks because only the 
+ *                                `pPreparedValues` are set as bind parameters and/or are escaped automatically.
+ *
+ * @param {[string, number][]} [pPreparedValues] - The values for the query
+ * @class
+ */
+export function PreparedSqlStatement(pSqlString, pPreparedValues)
+{
+    /**
+     * @type {string}
+     */
+    this.sqlString = "";
+    /**
+     * @type {[string, number][]}
+     */
+    this.preparedValues = [];
+
+    this.append(pSqlString, pPreparedValues);
+}
+
+/**
+ * Creates a new PreparedSqlStatement object from a prepared statement array
+ *
+ * @param {[string, [string, number][]]} preparedArray - The sql statement and its prepared values and types.
+ *
+ *                                **Never** include values from external sources such as web services, entity-parameters, etc. 
+ *                                directly and unverified as parameter here. Doing so will expose the system to SQL injection attacks because the 
+ *                                first element of the array-param is the sql-expression part.
+ *                                This means, that a sql expression could be passed from external sources into the execution.
+ * 
+ *                                Example A, **not okay**:
+ *                                ```
+ *                                var conditionParam = JSON.parse(vars.get("$param.condition_param"));
+ *                                var prepared = PreparedSqlStatement.fromArray(conditionParam);// sql injection possible here
+ *                                entityCondition.and(prepared);
+ *                                ```
+ *                                The parameter could be overwritten by the user with a value like `["); drop table users;", []]`
+ *
+ *                                Example B, **okay**:
+ *                                ```
+ *                                var idList = JSON.parse(vars.get("$param.idList_param"));
+ *                                var prepared = PreparedSqlStatement.fromArray(["MYTABLE.MYID in (?, ?, ?)", idList]);// sql injection not possible
+ *                                entityCondition.and(prepared);
+ *                                ```
+ *                                Because the values are passed as bind parameters, the user may pass `["''); drop table users;"]` as parameter but
+ *                                that is never parsed and executed as sql-expression.
+ * 
+ *                                For this particular example here the best solution however is to use the `SqlBuilder` without using 
+ *                                `PreparedSqlStatement` at all.
+ *
+ *
+ * @return {PreparedSqlStatement} A new PreparedSqlStatement object
+ */
+PreparedSqlStatement.fromArray = function([pSqlString, pPreparedValues])
+{
+    return new PreparedSqlStatement(pSqlString, pPreparedValues);
+};
+
+/**
+ * Creates a prepared statement array that can be used by some db.* methods
+ *
+ * @return {[string, [string, number][]]} The statement as an array
+ */
+PreparedSqlStatement.prototype.toArray = function()
+{
+    return [this.sqlString, this.preparedValues];
+};
+
+/**
+ * Adds the given sql to the statement
+ * 
+ * @param {string} pSqlString - The sql statement that contains already the placeholders for values: `?`. 
+ *
+ *                              **Never** include values from external sources such as user input, web services, entity-parameters, etc. 
+ *                              directly as pSqlString. Doing so will expose the system to SQL injection attacks because only the 
+ *                              `pPreparedValues` are set as bind parameters and/or are escaped automatically.
+ *
+ * @param {[string, number][]} [pPreparedValues] - The values for the query
+ * @return {PreparedSqlStatement} The current object
+ */
+PreparedSqlStatement.prototype.append = function(pSqlString, pPreparedValues)
+{
+    if (pSqlString)
+    {
+        this.sqlString += pSqlString;
+    }
+    if (pPreparedValues)
+    {
+        pPreparedValues.forEach(([value, type]) => this.addPreparedValue(value, type));
+    }
+    return this;
+};
+
+/**
+ *  Adds the sql from a PreparedSqlStatement to the statement
+ * 
+ * @param {PreparedSqlStatement} pPreparedStatement - The sql statement and its prepared values and types
+ * @param {string} [pSeparator] - A string that is added between the existing and new sql
+ * @return {PreparedSqlStatement} The current object
+ */
+PreparedSqlStatement.prototype.appendStatement = function(pPreparedStatement, pSeparator)
+{
+    if (pSeparator == undefined || !this.sqlString)
+    {
+        pSeparator = "";
+    }
+    return this.append(pSeparator + pPreparedStatement.sqlString, pPreparedStatement.preparedValues);
+};
+
+/**
+ * Adds a prepared value
+ * 
+ * @param {string} pValue - The value for the query
+ * @param {number} pType - The type of the value (SQLTYPES.*)
+ * @return {PreparedSqlStatement} The current object
+ */
+PreparedSqlStatement.prototype.addPreparedValue = function(pValue, pType)
+{
+    this.preparedValues.push([pValue, pType]);
+    return this;
+};
+
+/**
+ * Checks if the sql stamtement has no content
+ * 
+ * @returns {boolean} If the statement is empty
+ */
+PreparedSqlStatement.prototype.isEmpty = function()
+{
+    return this.sqlString == "";
+};
\ No newline at end of file
--- a/process/Sql_lib/process.js
+++ b/process/Sql_lib/process.js