You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@fineract.apache.org by "Joseph Makara (Jira)" <ji...@apache.org> on 2021/04/04 06:43:00 UTC
[jira] [Commented] (FINERACT-1338) SQL Injection - While
"runreports" api is trying to load report parameters
[ https://issues.apache.org/jira/browse/FINERACT-1338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17314418#comment-17314418 ]
Joseph Makara commented on FINERACT-1338:
-----------------------------------------
Hi,
FINERACT-1336 is in the right direction.
To solve FINERACT-1338 - The Short answer = Use Prepared Statements!
How to reproduce: Apply the script in FINERACT-1336. This solves below issues while running [https://localhost:8443/fineract-provider/api/v1/runreports/FullParameterList?R_reportListing=%27Active+Clients%27¶meterType=true]
{code:java}
{"developerMessage":"The requested resource is not available.","httpStatusCode":"404","defaultUserMessage":"The requested resource is not available.","userMessageGlobalisationCode":"error.msg.resource.not.found","errors":[{"developerMessage":"Reporting meta-data entry not found.","defaultUserMessage":"Reporting meta-data entry not found.","userMessageGlobalisationCode":"error.msg.report.name.not.found","parameterName":"id","value":null,"args":[{"value":"Report Name: FullParameterList"}]}]}
{code}
The next issues comes up whilst running [https://localhost:8443/fineract-provider/api/v1/runreports/OfficeIdSelectOne?parameterType=true]
{code:java}
{"developerMessage":"The request was invalid. This typically will happen due to validation errors which are provided.","httpStatusCode":"400","defaultUserMessage":"Unexpected SQL Commands found","userMessageGlobalisationCode":"error.msg.found.sql.injection"}
{code}
This comes after running SQL
{code:java}
SELECT x.* FROM (
SELECT
sp.parameter_name, sp.parameter_variable, sp.parameter_label, sp.parameter_displayType,
sp.parameter_FormatType, sp.parameter_default, sp.selectOne, sp.selectAll, spp.parameter_name AS parentParameterName
FROM stretchy_parameter sp
LEFT JOIN stretchy_parameter spp ON spp.id = sp.parent_id
WHERE sp.special IS NULL AND EXISTS (
SELECT 'f'
FROM stretchy_report sr
JOIN stretchy_report_parameter srp ON srp.report_id = sr.id AND sr.self_service_user_report = '0'
WHERE sr.report_name IN('Active Clients')
AND srp.parameter_id = sp.id
) ORDER BY sp.id
) x;
{code}
Which returns
{code:java}
+------------------------+--------------------+-----------------+-----------------------+
| parameter_name | parameter_variable | parameter_label | parameter_displayType |
+------------------------+--------------------+-----------------+-----------------------+
| OfficeIdSelectOne | officeId | Office | select |
| loanOfficerIdSelectAll | loanOfficerId | Loan Officer | select |
+------------------------+--------------------+-----------------+-----------------------+
{code}
ParameterName `OfficeIdSelectOne` will not pass `validateReportName` with `REPORT_NAME_REGEX_PATTERN`. These other parameters in the same table are impacted.
h6. {{'currencyIdSelectAll', 'cycleXSelect', 'cycleYSelect', 'endDateSelect', 'fromXSelect', 'fundIdSelectAll', 'loanOfficerIdSelectAll', 'loanProductIdSelectAll', 'loanPurposeIdSelectAll', 'obligDateTypeSelect', 'OfficeIdSelectOne', 'overdueXSelect', 'overdueYSelect', 'parTypeSelect', 'savingsProductIdSelectAll', 'selectAccount', 'selectCenterId', 'SelectGLAccountNO', 'SelectLoanType', 'startDateSelect', 'toYSelect'}}
I see that history of things. The SQL Injection validation workaround should be removed and fix this with parameter queries for the `inputSQL` shown below.
This has been identified by OWASP ZAP Scan as fix candidate in `ReadReportingServiceImpl.java` in Jira FINERACT-969
See how it is doing string concatenations `where " + type + "_name = '" + name + "'"`
{code:java}
private String getSql(final String name, final String type) {
final String inputSql = "select " + type + "_sql as the_sql from stretchy_" + type + " where " + type + "_name = '" + name + "'";
{code}
Instead of REGEX validation for report names here it requires changing to use parameterised query with `?`
> SQL Injection - While "runreports" api is trying to load report parameters
> --------------------------------------------------------------------------
>
> Key: FINERACT-1338
> URL: https://issues.apache.org/jira/browse/FINERACT-1338
> Project: Apache Fineract
> Issue Type: Bug
> Reporter: Francis Guchie
> Assignee: Francis Guchie
> Priority: Major
> Attachments: image-2021-03-31-15-53-00-571.png
>
>
> After solving the error at FINERACT-1336 a new error shows up.
> while api - runreports
> fineract-provider/api/v1/runreports/OfficeIdSelectOne?parameterType=true
> is spooling the report parameters, user will not see any error on the UI
> !image-2021-03-31-15-53-00-571.png!
> but looking through the console OR postman you see error below
> {
> "developerMessage": "The request was invalid. This typically will happen due to validation errors which are provided.",
> "httpStatusCode": "400",
> "defaultUserMessage": "Unexpected SQL Commands found",
> *"userMessageGlobalisationCode": "error.msg.found.sql.injection"*
> }
--
This message was sent by Atlassian Jira
(v8.3.4#803005)