Fixed SQL injection

Fixed an emabarassignly obvious SQL injection bug by throwing `sqlite3_exec` away.
2025-05-19 21:18:19 +02:00 · 2025-05-19 21:18:19 +02:00 · 90d94c7615
commit 90d94c7615
parent a1ba96bf67
1 changed files with 22 additions and 35 deletions
--- a/src/perm_permissions_table.c
+++ b/src/perm_permissions_table.c
@ -207,42 +207,29 @@ void destroy_perm_permissions_table(void) { sqlite3_close(perm_database); }
 */
 access_t check_perm_access_noparent(const char *filename,
                                    struct process_info pi) {
+  access_t ret = NDEF;
+  sqlite3_stmt *stmt = NULL;
+  const char *sql = "SELECT mode FROM permissions WHERE executable = ?1 "
+                    "AND (( ?2 LIKE CONCAT(filename, \'%\') AND filename "
+                    "GLOB \'*/\') OR filename = ?2 );";
+  sqlite3_prepare_v2(perm_database, sql, -1, &stmt, NULL);
+  sqlite3_bind_text(stmt, 1, pi.name, -1, SQLITE_STATIC);
+  sqlite3_bind_text(stmt, 2, filename, -1, SQLITE_STATIC);

-  char *query = NULL;
-  int ret = asprintf(&query,
-                     "SELECT * FROM %s WHERE executable = \'%s\' "
-                     "AND ((\'%s\' LIKE CONCAT(filename, \'%%\') AND filename "
-                     "GLOB \'*/\') OR filename = \'%s\');",
-                     table_name, pi.name, filename, filename);
-  fprintf(stderr, "query: %s\n", query);
+  int step_ret = sqlite3_step(stmt);
+  if (step_ret == SQLITE_ROW) {
+    int mode_col = sqlite3_column_int(stmt, 0);
+    if (mode_col) {
+      ret = ALLOW;
+    } else {
+      ret = DENY;
+    }
+  } else {
+    fprintf(stderr, "SQLite error: %s\n", sqlite3_errstr(step_ret));
+  }
+  sqlite3_finalize(stmt);

-  if (ret < 0) {
-    // If asprintf fails, the contents of query are undefined (see man
-    // asprintf). That does not explicitly rule out that query will be a valid
-    // pointer. But the risk of freeing a non-allocated pointer is too much to
-    // justify preparing for this.
-    fprintf(stderr, "Could not create query on access check");
-    perror("");
-    return NDEF;
-  }
-
-  char *sqlite_error = NULL;
-  int flag = 0;
-  ret = sqlite3_exec(perm_database, query, set_flag, &flag, &sqlite_error);
-  free((void *)query);
-  if (ret != SQLITE_OK) {
-    fprintf(stderr, "SQLite returned an error: %s\n", sqlite_error);
-    sqlite3_free(sqlite_error);
-    return NDEF;
-  }
-
-  if (flag == 1) {
-    return ALLOW;
-  }
-  if (flag == -1) {
-    return DENY;
-  }
-  return NDEF;
+  return ret;
 }

 /**
@ -310,7 +297,7 @@ int set_perm_access(const char *filename, struct process_info pi,
    // asprintf). That does not explicitly rule out that query will be a valid
    // pointer. But the risk of freeing a non-allocated pointer is too much to
    // justify preparing for this.
-    fprintf(stderr, "Could not create query on rule insertion");
+    fprintf(stderr, "Could not create query on rule insertion\n");
    perror("");
    return 1;
  }