Testing multi-line sql statements with comments embedded

Former-commit-id: 037b8ab9a4e8992e3dd8f65172c451cfd264b75d

Testing multi-line sql statements with comments embedded
0d115ff0 · an7s · 0fb0a51a · 0d115ff0 · 0d115ff0 · 0d115ff0
Commit 0d115ff0 authored 11 years ago by an7s
--- a/.gitattributes
+++ b/.gitattributes
@@ -131,6 +131,7 @@ appfw/tests/postgres/teardown.sql -text
 appfw/tests/postgres/testpg1.c -text
 appfw/tests/postgres/testpg1.env.c -text
 appfw/tests/postgres/testpg2.c -text
+appfw/tests/postgres/testpg2.env.c -text
 appfw/tests/postgres/testpg3.c -text
 appfw/tests/postgres/testpg4.c -text
 appfw/tests/sqlite/Makefile -text

--- a/appfw/tests/postgres/Makefile
+++ b/appfw/tests/postgres/Makefile
@@ -3,7 +3,7 @@ APPFW_LIB=$(SECURITY_TRANSFORMS_HOME)/appfw/lib/libappfw.so
 generate_signatures=$(PEASOUP_HOME)/tools/generate_string_signatures.sh

 all: testpg1.exe testpg2.exe testpg3.exe testpg4.exe
-all.env: testpg1.env.exe 
+all.env: testpg1.env.exe testpg2.env.exe

 testpg1.o: testpg1.c
 	gcc -I/usr/include/postgresql -c testpg1.c
@@ -14,6 +14,9 @@ testpg1.env.o: testpg1.env.c
 testpg2.o: testpg2.c
 	gcc -I/usr/include/postgresql -c testpg2.c

+testpg2.env.o: testpg2.env.c
+	gcc -I/usr/include/postgresql -c testpg2.env.c
+
 testpg3.o: testpg3.c
 	gcc -I/usr/include/postgresql -c testpg3.c

@@ -28,6 +31,10 @@ testpg1.env.exe: testpg1.env.o
 	gcc testpg1.env.o -o testpg1.env.exe -lpq
 	$(generate_signatures) testpg1.env.exe

+testpg2.env.exe: testpg2.env.o
+	gcc testpg2.env.o -o testpg2.env.exe -lpq
+	$(generate_signatures) testpg2.env.exe
+
 testpg2.exe: testpg2.o
 	gcc testpg2.o -o testpg2.exe -lpq
 	$(generate_signatures) testpg2.exe
@@ -51,6 +58,7 @@ peasoup: all
 	
 peasoup.env: all.env
 	$(PEASOUP_HOME)/tools/ps_analyze.sh testpg1.env.exe testpg1.exe.env.peasoup --step concolic=off --step integertransform=off --step p1transform=off --step ilr=off --step determine_program=off
+	$(PEASOUP_HOME)/tools/ps_analyze.sh testpg2.env.exe testpg2.exe.env.peasoup --step concolic=off --step integertransform=off --step p1transform=off --step ilr=off --step determine_program=off

 run: all
 #	LD_PRELOAD=$(APPFW_LIB) APPFW_DB=appfw.db APPFW_SIGNATURE_FILE=testpg4.exe.sigs ./testpg4.exe "bob"

--- a/appfw/tests/postgres/postgres.test.env.sh
+++ b/appfw/tests/postgres/postgres.test.env.sh
@@ -70,6 +70,8 @@ if [ ! $? -eq 0 ]; then
 	cleanup 1 "Failed to build postgres tests"
 fi

+psql -f ./teardown.sql 2>/dev/null # in case we have remnants from a previous testing run
+psql -f ./setup.sql

 #
 # testpg1.exe.env.peasoup
@@ -117,44 +119,52 @@ if [ ! $? -eq 0 ]; then
 	cleanup 6 "False negative detected: attack query for testpg1.exe.env.peasoup should have been detected"
 fi

-psql -f ./teardown.sql
-cleanup 0 "Successfully detected Postgres SQL Injection"
-
 #
 # testpg2.exe.env.peasoup
 #
-psql -f ./teardown.sql 2>/dev/null # in case we have remnmants from a previous testing run
-psql -f ./setup.sql

-# good query
-rm -f $tmp
-./testpg2.exe.env.peasoup David > $tmp 2>&1
-grep -i "David Hyde" $tmp
+# test good queries
+rm -f $tmp 2>/dev/null
+QUERY_DATA="bob" ./testpg2.exe.env.peasoup > $tmp 2>&1
+grep -i query $tmp | grep -i success
 if [ ! $? -eq 0 ]; then
 	cat $tmp
 	cleanup 7 "False positive detected: query for testpg2.exe.env.peasoup should have succeeded"
 fi

-# attack query
 rm -f $tmp
-./testpg2.exe "David' or '0'='0" > $tmp 2>&1
-grep -i William $tmp
+QUERY_DATA="select * from xyz" ./testpg2.exe.env.peasoup > $tmp 2>&1
+grep -i query $tmp | grep -i success
 if [ ! $? -eq 0 ]; then
 	cat $tmp
-	cleanup 7 "False negative detected: attack query for testpg2.exe.env.peasoup should have failed"
+	cleanup 8 "False positive detected: query for testpg2.exe.env.peasoup should have succeeded"
 fi

-#
-# testpg4.exe.env.peasoup
-# test multi-statement queries
-#
+# test attack queries
 rm -f $tmp
-./testpg4.exe.env.peasoup "bob" > $tmp 2>&1
+QUERY_DATA="' or 1 = 1;--" ./testpg2.exe.env.peasoup > $tmp 2>&1
 grep -i "sql injection" $tmp | grep -i detected
-if [ $? -eq 0 ]; then
+if [ ! $? -eq 0 ]; then
 	cat $tmp
-	cleanup 8 "False positive detected: there should be no SQL injections here"
+	cleanup 9 "False negative detected: attack query for testpg2.exe.env.peasoup should have been detected"
 fi

+rm -f $tmp
+QUERY_DATA="' and /* */ 1 = 1 /* */; /*--*/" ./testpg2.exe.env.peasoup > $tmp 2>&1
+grep -i "sql injection" $tmp | grep -i detected
+if [ ! $? -eq 0 ]; then
+	cat $tmp
+	cleanup 10 "False negative detected: attack query for testpg2.exe.env.peasoup should have been detected"
+fi
+
+rm -f $tmp
+QUERY_DATA="%' or 1 = 1; -- select *" ./testpg2.exe.env.peasoup > $tmp 2>&1
+grep -i "sql injection" $tmp | grep -i detected
+if [ ! $? -eq 0 ]; then
+	cat $tmp
+	cleanup 11 "False negative detected: attack query for testpg2.exe.env.peasoup should have been detected"
+fi
+
+
 psql -f ./teardown.sql
 cleanup 0 "Successfully detected Postgres SQL Injection"
--- a/appfw/tests/postgres/testpg2.env.c
+++ b/appfw/tests/postgres/testpg2.env.c
+#include <stdio.h>
+#include <stdlib.h>
+#include "libpq-fe.h"
+
+void exitNicely(PGconn *p_conn)
+{
+  PQfinish(p_conn);
+  exit(1);
+}
+
+int main(int argc, char **argv)
+{
+  char conninfo[1024];
+  char query[1024];
+  char *querydata;
+  char bogus[1024];
+  PGconn     *conn;
+  PGresult   *res;
+
+  sprintf(conninfo, "dbname = %s", getenv("PGDATABASE"));
+
+  conn = PQconnectdb(conninfo);
+
+  if (PQstatus(conn) != CONNECTION_OK)
+  {
+    fprintf(stderr, "Connection to database failed: %s", PQerrorMessage(conn));
+	exitNicely(conn);
+  }
+
+  querydata = getenv("QUERY_DATA");
+  // deliberately allow for SQL injection
+  // test multi-line sql statements
+  sprintf(query, "select * from doip -- first part of the string\n where comment -- 2nd part of string\n   = '%s';", querydata);
+  fprintf(stdout, "issuing query: %s\n", query);
+
+  // force signatures to contain the letter o,r,a,n,d to make sure
+  // we don't allow AND OR to be made up of single letters
+  sprintf(bogus,"o");
+  sprintf(&bogus[1],"r");
+  sprintf(&bogus[2],"=");
+  sprintf(&bogus[3],";");
+  sprintf(&bogus[4],"-");
+  sprintf(&bogus[5],"a");
+  sprintf(&bogus[6],"n");
+  sprintf(&bogus[7],"d");
+
+  // play with uppercase in SQL instructions (SQL is case insensitive)
+  query[0]='S';
+  query[2]='L';
+  res = PQexec(conn, query);
+  if (PQresultStatus(res) == PGRES_TUPLES_OK)
+  {
+    fprintf(stderr, "-------------------------------------------\n");
+    fprintf(stderr, "\tQuery success: %s\n", query);
+    fprintf(stderr, "-------------------------------------------\n");
+  }
+  else
+  {
+    fprintf(stderr, "-------------------------------------------\n");
+    fprintf(stderr, "\tQuery failed: %s\n", query);
+    fprintf(stderr, "-------------------------------------------\n");
+  }
+
+  PQclear(res);
+
+  PQfinish(conn);
+
+  return 0;
+}