fedir/ICFS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fixed SQL injection

Browse Source 
Fixed an emabarassignly obvious SQL injection bug by throwing
`sqlite3_exec` away.
This commit is contained in:
fedir 2025-05-19 21:18:19 +02:00
parent a1ba96bf67
commit 90d94c7615
Signed by: fedir
GPG Key ID: C959EE85F0C9362C
1 changed files with 22 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
src/perm_permissions_table.c
View File

@ -207,42 +207,29 @@ void destroy_perm_permissions_table(void) { sqlite3_close(perm_database); }
*/ */
access_t check_perm_access_noparent(const char *filename, access_t check_perm_access_noparent(const char *filename,
struct process_info pi) { struct process_info pi) {
access_t ret = NDEF;
sqlite3_stmt *stmt = NULL;
const char *sql = "SELECT mode FROM permissions WHERE executable = ?1 "
"AND (( ?2 LIKE CONCAT(filename, \'%\') AND filename "
"GLOB \'*/\') OR filename = ?2 );";
sqlite3_prepare_v2(perm_database, sql, -1, &stmt, NULL);
sqlite3_bind_text(stmt, 1, pi.name, -1, SQLITE_STATIC);
sqlite3_bind_text(stmt, 2, filename, -1, SQLITE_STATIC);
char *query = NULL; int step_ret = sqlite3_step(stmt);
int ret = asprintf(&query, if (step_ret == SQLITE_ROW) {
"SELECT * FROM %s WHERE executable = \'%s\' " int mode_col = sqlite3_column_int(stmt, 0);
"AND ((\'%s\' LIKE CONCAT(filename, \'%%\') AND filename " if (mode_col) {
"GLOB \'*/\') OR filename = \'%s\');", ret = ALLOW;
table_name, pi.name, filename, filename); } else {
fprintf(stderr, "query: %s\n", query); ret = DENY;
}
} else {
fprintf(stderr, "SQLite error: %s\n", sqlite3_errstr(step_ret));
}
sqlite3_finalize(stmt);
if (ret < 0) { return ret;
// If asprintf fails, the contents of query are undefined (see man
// asprintf). That does not explicitly rule out that query will be a valid
// pointer. But the risk of freeing a non-allocated pointer is too much to
// justify preparing for this.
fprintf(stderr, "Could not create query on access check");
perror("");
return NDEF;
}
char *sqlite_error = NULL;
int flag = 0;
ret = sqlite3_exec(perm_database, query, set_flag, &flag, &sqlite_error);
free((void *)query);
if (ret != SQLITE_OK) {
fprintf(stderr, "SQLite returned an error: %s\n", sqlite_error);
sqlite3_free(sqlite_error);
return NDEF;
}
if (flag == 1) {
return ALLOW;
}
if (flag == -1) {
return DENY;
}
return NDEF;
} }
/** /**
@ -310,7 +297,7 @@ int set_perm_access(const char *filename, struct process_info pi,
// asprintf). That does not explicitly rule out that query will be a valid // asprintf). That does not explicitly rule out that query will be a valid
// pointer. But the risk of freeing a non-allocated pointer is too much to // pointer. But the risk of freeing a non-allocated pointer is too much to
// justify preparing for this. // justify preparing for this.
fprintf(stderr, "Could not create query on rule insertion"); fprintf(stderr, "Could not create query on rule insertion\n");
perror(""); perror("");
return 1; return 1;
} }