fix(security): resolve SQL injection protection bypass (942380 PL2)#3720
fix(security): resolve SQL injection protection bypass (942380 PL2)#3720azurit wants to merge 20 commits into
Conversation
fzipi
left a comment
There was a problem hiding this comment.
In your bypass example you mention for example using \s instead of \s+ in regex.
What is the difference on what you did? Does having work with no spacing?
|
|
You could try removing all spaces with a transformation first. |
| \bhaving\b ?\d{1,10} ?[=<>]+ | ||
| \bhaving\b ?[\'\"][^=]{1,10}[\'\" ?[=<>]+ | ||
| \bcreate\s+?table.{0,20}?\( | ||
| \bhaving\s*\(?\s*(?:['"]?\s*\d+\s*['"]?|['"]\s*[^\d]*\s*['"]|true|false)\s*(?:[=<>+\-*/%^&!|]+|div|mod) |
There was a problem hiding this comment.
| \bhaving\s*\(?\s*(?:['"]?\s*\d+\s*['"]?|['"]\s*[^\d]*\s*['"]|true|false)\s*(?:[=<>+\-*/%^&!|]+|div|mod) | |
| \bhaving\s+\(?\s*(?:['"]?\s*\d+\s*['"]?|['"]\s*[^\d]*\s*['"]|true|false)\s*(?:[=<>+\-*/%^&!|]+|div|mod) |
There was a problem hiding this comment.
I think * is correct here. The parser might accept ...having'..., for example.
There was a problem hiding this comment.
The msg is SQL Injection Attack, atleast MySQL expects a space after HAVING, haven't checked others. Maybe @azurit has more info about this.
There was a problem hiding this comment.
I don't think it matters really in terms of the regex. As long as we assume that it can happen we should be fine either way.
|
@azurit Can you look into the open comments? |
I found TONS of ways how to bypass rule
942380and some of them were extremely easy (for example using\sinstead of\s+in regex).We are now able to catch these new ways of injection:
Also, we are now catching these:
We are still NOT catching these: