Fixed SQL injection

Fixed an emabarassignly obvious SQL injection bug by throwing `sqlite3_exec` away.
Updated the test
2025-05-19 21:18:19 +02:00 · 2025-05-19 21:15:42 +02:00
2 changed files with 23 additions and 36 deletions
--- a/src/perm_permissions_table.c
+++ b/src/perm_permissions_table.c
@ -207,42 +207,29 @@ void destroy_perm_permissions_table(void) { sqlite3_close(perm_database); }
 */
 access_t check_perm_access_noparent(const char *filename,
                                    struct process_info pi) {
  access_t ret = NDEF;
  sqlite3_stmt *stmt = NULL;
  const char *sql = "SELECT mode FROM permissions WHERE executable = ?1 "
                    "AND (( ?2 LIKE CONCAT(filename, \'%\') AND filename "
                    "GLOB \'*/\') OR filename = ?2 );";
  sqlite3_prepare_v2(perm_database, sql, -1, &stmt, NULL);
  sqlite3_bind_text(stmt, 1, pi.name, -1, SQLITE_STATIC);
  sqlite3_bind_text(stmt, 2, filename, -1, SQLITE_STATIC);
-  char *query = NULL;
+  int step_ret = sqlite3_step(stmt);
-  int ret = asprintf(&query,
+  if (step_ret == SQLITE_ROW) {
-                     "SELECT * FROM %s WHERE executable = \'%s\' "
+    int mode_col = sqlite3_column_int(stmt, 0);
-                     "AND ((\'%s\' LIKE CONCAT(filename, \'%%\') AND filename "
+    if (mode_col) {
-                     "GLOB \'*/\') OR filename = \'%s\');",
+      ret = ALLOW;
-                     table_name, pi.name, filename, filename);
+    } else {
-  fprintf(stderr, "query: %s\n", query);
+      ret = DENY;
    }
  } else {
    fprintf(stderr, "SQLite error: %s\n", sqlite3_errstr(step_ret));
  }
  sqlite3_finalize(stmt);
-  if (ret < 0) {
+  return ret;
    // If asprintf fails, the contents of query are undefined (see man
    // asprintf). That does not explicitly rule out that query will be a valid
    // pointer. But the risk of freeing a non-allocated pointer is too much to
    // justify preparing for this.
    fprintf(stderr, "Could not create query on access check");
    perror("");
    return NDEF;
  }
  char *sqlite_error = NULL;
  int flag = 0;
  ret = sqlite3_exec(perm_database, query, set_flag, &flag, &sqlite_error);
  free((void *)query);
  if (ret != SQLITE_OK) {
    fprintf(stderr, "SQLite returned an error: %s\n", sqlite_error);
    sqlite3_free(sqlite_error);
    return NDEF;
  }
  if (flag == 1) {
    return ALLOW;
  }
  if (flag == -1) {
    return DENY;
  }
  return NDEF;
 }
 /**
@ -310,7 +297,7 @@ int set_perm_access(const char *filename, struct process_info pi,
    // asprintf). That does not explicitly rule out that query will be a valid
    // pointer. But the risk of freeing a non-allocated pointer is too much to
    // justify preparing for this.
-    fprintf(stderr, "Could not create query on rule insertion");
+    fprintf(stderr, "Could not create query on rule insertion\n");
    perror("");
    return 1;
  }
--- a/test/test.bash
+++ b/test/test.bash
@ -46,7 +46,7 @@ if [[ $1 == "--setuid" ]]; then
 else
  echo "Database protection will not be tested due to the lack of setuid capabilites."
  echo "To test it, run this script with '--setuid'."
-  #valgrind --leak-check=full -s ../build/icfs -o default_permissions -o debug ./protected ./.pt.db 2>&1 | grep "==\|zenity\|Permission\|column\|callback" &
+  #valgrind --leak-check=full -s ../build/icfs -o default_permissions -o debug ./protected ./.pt.db 2>&1 | grep "==\|zenity\|Permission\|column\|callback\|SQLite" &
  valgrind --leak-check=full --show-leak-kinds=all -s ../build/icfs -o default_permissions ./protected ./.pt.db &
  sleep 5
 fi
Author	SHA1	Message	Date
fedir	90d94c7615	Fixed SQL injection Fixed an emabarassignly obvious SQL injection bug by throwing `sqlite3_exec` away.	2025-05-19 21:18:19 +02:00
fedir	a1ba96bf67	Updated the test	2025-05-19 21:15:42 +02:00