Modified tests to take query data from an environment variable

Tests to make sure that vetted tokens come from a single signature


Former-commit-id: e532126bf0874cca10852870ace8518b4482890d

.gitattributes

@@ -124,10 +124,12 @@ appfw/tests/oscommand/Makefile -text
 appfw/tests/oscommand/dotest.sh -text
 appfw/tests/oscommand/testosc.c -text
 appfw/tests/postgres/Makefile -text
+appfw/tests/postgres/postgres.test.env.sh -text
 appfw/tests/postgres/postgres.test.sh -text
 appfw/tests/postgres/setup.sql -text
 appfw/tests/postgres/teardown.sql -text
 appfw/tests/postgres/testpg1.c -text
+appfw/tests/postgres/testpg1.env.c -text
 appfw/tests/postgres/testpg2.c -text
 appfw/tests/postgres/testpg3.c -text
 appfw/tests/postgres/testpg4.c -text

appfw/tests/postgres/Makefile

@@ -3,10 +3,14 @@ APPFW_LIB=$(SECURITY_TRANSFORMS_HOME)/appfw/lib/libappfw.so
 generate_signatures=$(PEASOUP_HOME)/tools/generate_string_signatures.sh
 
 all: testpg1.exe testpg2.exe testpg3.exe testpg4.exe
+all.env: testpg1.env.exe 
 
 testpg1.o: testpg1.c
 	gcc -I/usr/include/postgresql -c testpg1.c
 
+testpg1.env.o: testpg1.env.c
+	gcc -I/usr/include/postgresql -c testpg1.env.c
+
 testpg2.o: testpg2.c
 	gcc -I/usr/include/postgresql -c testpg2.c
 
@@ -20,6 +24,10 @@ testpg1.exe: testpg1.o
 	gcc testpg1.o -o testpg1.exe -lpq
 	$(generate_signatures) testpg1.exe
 
+testpg1.env.exe: testpg1.env.o
+	gcc testpg1.env.o -o testpg1.env.exe -lpq
+	$(generate_signatures) testpg1.env.exe
+
 testpg2.exe: testpg2.o
 	gcc testpg2.o -o testpg2.exe -lpq
 	$(generate_signatures) testpg2.exe
@@ -36,14 +44,18 @@ clean:
 	rm -rf *.o *.tmp *.exe peasoup_executable_directory* test*.peasoup messages_to_tne.log ps_tne_logfile.txt testpg*.exe.sigs appfw.db 
 
 peasoup: all
-	APPFW_VERBOSE=1 $(PEASOUP_HOME)/tools/ps_analyze.sh testpg1.exe testpg1.exe.peasoup --step concolic=off --step integertransform=off --step p1transform=off
-	$(PEASOUP_HOME)/tools/ps_analyze.sh testpg2.exe testpg2.exe.peasoup --step concolic=off --step integertransform=off --step p1transform=off
-	$(PEASOUP_HOME)/tools/ps_analyze.sh testpg3.exe testpg3.exe.peasoup --step concolic=off --step integertransform=off --step p1transform=off
-	$(PEASOUP_HOME)/tools/ps_analyze.sh testpg4.exe testpg4.exe.peasoup --step concolic=off --step integertransform=off --step p1transform=off
+	$(PEASOUP_HOME)/tools/ps_analyze.sh testpg1.exe testpg1.exe.peasoup --step concolic=off --step integertransform=off --step p1transform=off --step ilr=off --step determine_program=off
+	$(PEASOUP_HOME)/tools/ps_analyze.sh testpg2.exe testpg2.exe.peasoup --step concolic=off --step integertransform=off --step p1transform=off --step ilr=off --step determine_program=off
+	$(PEASOUP_HOME)/tools/ps_analyze.sh testpg3.exe testpg3.exe.peasoup --step concolic=off --step integertransform=off --step p1transform=off --step ilr=off --step determine_program=off
+	$(PEASOUP_HOME)/tools/ps_analyze.sh testpg4.exe testpg4.exe.peasoup --step concolic=off --step integertransform=off --step p1transform=off --step ilr=off --step determine_program=off
 	
+peasoup.env: all.env
+	$(PEASOUP_HOME)/tools/ps_analyze.sh testpg1.env.exe testpg1.exe.env.peasoup --step concolic=off --step integertransform=off --step p1transform=off --step ilr=off --step determine_program=off
+
 run: all
 #	LD_PRELOAD=$(APPFW_LIB) APPFW_DB=appfw.db APPFW_SIGNATURE_FILE=testpg4.exe.sigs ./testpg4.exe "bob"
 #	LD_PRELOAD=$(APPFW_LIB) APPFW_DB=appfw.db APPFW_SIGNATURE_FILE=testpg3.exe.sigs ./testpg3.exe "select * from xyz;"
 #	LD_PRELOAD=$(APPFW_LIB) APPFW_DB=appfw.db APPFW_SIGNATURE_FILE=testpg3.exe.sigs ./testpg3.exe "' or 1=1; --"
-	LD_PRELOAD=$(APPFW_LIB) APPFW_DB=appfw.db APPFW_SIGNATURE_FILE=testpg1.exe.sigs ./testpg1.exe "' or 1 = 1; --"
+#	LD_PRELOAD=$(APPFW_LIB) APPFW_DB=appfw.db APPFW_SIGNATURE_FILE=testpg1.exe.sigs ./testpg1.exe "' or 1 = 1; --"
+	QUERY_DATA="' or 1 = 1; -- " LD_PRELOAD=$(APPFW_LIB) APPFW_DB=appfw.db APPFW_SIGNATURE_FILE=testpg1.env.exe.sigs ./testpg1.env.exe 
 #	LD_PRELOAD=$(APPFW_LIB) APPFW_DB=appfw.db APPFW_SIGNATURE_FILE=testpg2.exe.sigs ./testpg2.exe "' or 1=1; --"

appfw/tests/postgres/postgres.test.env.sh

+#!/bin/sh -x
+
+# Assumptions:
+# 	$1 is the full pathname to output file
+
+# For PEASOUP, Required XML fields are
+# name - name of the test
+# host - name of the host where the test was run
+# project - project name
+# date_time - date time in specific format date +%FT%R:%S
+# key_value pairs, any number
+#   may include result, user, host platform, build platform
+
+# Fixed attributes
+# ATTRIBUTE ModDep=strata
+# ATTRIBUTE ModDep=diablo_toolchain
+# ATTRIBUTE ModDep=stratafier
+# ATTRIBUTE ModDep=idapro61
+# ATTRIBUTE ModDep=idapro61_sdk
+# ATTRIBUTE TestsWhat=lang_C
+# ATTRIBUTE TestsWhat=strata
+# ATTRIBUTE TestsWhat=commandinjection
+# ATTRIBUTE TestsWhat=peasoup_end2end
+# ATTRIBUTE OS=linux
+# ATTRIBUTE Compiler=gcc
+# ATTRIBUTE Arch=x86_32
+
+# ATTRIBUTE TestName=postgres_via_env
+# ATTRIBUTE BenchmarkName=TandE
+# ATTRIBUTE CompilerFlags="-w"
+
+COMPFLAGS="-w"
+
+PWD=`pwd`
+TESTLOC="${PWD}"
+tmp=$$.tmp
+
+outfile=$1
+
+cleanup()
+{
+	exit_code=$1
+	shift
+	msg=$*
+
+	if [ $exit_code -eq 0 ]; then 
+		report_test_success $outfile "$msg"
+	else
+		report_test_failure $outfile "Intermediate step failed, exit code is $exit_code, msg='$msg'"
+	fi
+
+#	cd $TESTLOC
+# 	rm -f $tmp 2>/dev/null
+#	make clean
+#	cd -
+
+	exit $exit_code
+}
+
+# suck in utils
+. ${TEST_HARNESS_HOME}/test_utils.sh || cleanup 1 "Cannot source utils file"
+
+assert_test_args $*
+assert_test_env $outfile STRATAFIER STRATA TOOLCHAIN IDAROOT IDASDK PEASOUP_HOME SECURITY_TRANSFORMS_HOME
+
+# path to source
+cd $TESTLOC
+make clean peasoup.env
+if [ ! $? -eq 0 ]; then
+	cleanup 1 "Failed to build postgres tests"
+fi
+
+
+#
+# testpg1.exe.env.peasoup
+#
+
+# test good queries
+rm -f $tmp 2>/dev/null
+QUERY_DATA="bob" ./testpg1.exe.env.peasoup > $tmp 2>&1
+grep -i query $tmp | grep -i success
+if [ ! $? -eq 0 ]; then
+	cat $tmp
+	cleanup 2 "False positive detected: query for testpg1.exe.env.peasoup should have succeeded"
+fi
+
+rm -f $tmp
+QUERY_DATA="select * from xyz" ./testpg1.exe.env.peasoup > $tmp 2>&1
+grep -i query $tmp | grep -i success
+if [ ! $? -eq 0 ]; then
+	cat $tmp
+	cleanup 3 "False positive detected: query for testpg1.exe.env.peasoup should have succeeded"
+fi
+
+# test attack queries
+rm -f $tmp
+QUERY_DATA="' or 1 = 1;--" ./testpg1.exe.env.peasoup > $tmp 2>&1
+grep -i "sql injection" $tmp | grep -i detected
+if [ ! $? -eq 0 ]; then
+	cat $tmp
+	cleanup 4 "False negative detected: attack query for testpg1.exe.env.peasoup should have been detected"
+fi
+
+rm -f $tmp
+QUERY_DATA="' and /* */ 1 = 1 /* */; /*--*/" ./testpg1.exe.env.peasoup > $tmp 2>&1
+grep -i "sql injection" $tmp | grep -i detected
+if [ ! $? -eq 0 ]; then
+	cat $tmp
+	cleanup 5 "False negative detected: attack query for testpg1.exe.env.peasoup should have been detected"
+fi
+
+rm -f $tmp
+QUERY_DATA="%' or 1 = 1; -- select *" ./testpg1.exe.env.peasoup > $tmp 2>&1
+grep -i "sql injection" $tmp | grep -i detected
+if [ ! $? -eq 0 ]; then
+	cat $tmp
+	cleanup 6 "False negative detected: attack query for testpg1.exe.env.peasoup should have been detected"
+fi
+
+psql -f ./teardown.sql
+cleanup 0 "Successfully detected Postgres SQL Injection"
+
+#
+# testpg2.exe.env.peasoup
+#
+psql -f ./teardown.sql 2>/dev/null # in case we have remnmants from a previous testing run
+psql -f ./setup.sql
+
+# good query
+rm -f $tmp
+./testpg2.exe.env.peasoup David > $tmp 2>&1
+grep -i "David Hyde" $tmp
+if [ ! $? -eq 0 ]; then
+	cat $tmp
+	cleanup 7 "False positive detected: query for testpg2.exe.env.peasoup should have succeeded"
+fi
+
+# attack query
+rm -f $tmp
+./testpg2.exe "David' or '0'='0" > $tmp 2>&1
+grep -i William $tmp
+if [ ! $? -eq 0 ]; then
+	cat $tmp
+	cleanup 7 "False negative detected: attack query for testpg2.exe.env.peasoup should have failed"
+fi
+
+#
+# testpg4.exe.env.peasoup
+# test multi-statement queries
+#
+rm -f $tmp
+./testpg4.exe.env.peasoup "bob" > $tmp 2>&1
+grep -i "sql injection" $tmp | grep -i detected
+if [ $? -eq 0 ]; then
+	cat $tmp
+	cleanup 8 "False positive detected: there should be no SQL injections here"
+fi
+
+psql -f ./teardown.sql
+cleanup 0 "Successfully detected Postgres SQL Injection"

appfw/tests/postgres/testpg1.env.c

+#include <stdio.h>
+#include <stdlib.h>
+#include "libpq-fe.h"
+
+void exitNicely(PGconn *p_conn)
+{
+  PQfinish(p_conn);
+  exit(1);
+}
+
+int main(int argc, char **argv)
+{
+  char conninfo[1024];
+  char query[1024];
+  char *querydata;
+  char bogus[1024];
+  PGconn     *conn;
+  PGresult   *res;
+
+  sprintf(conninfo, "dbname = %s", getenv("PGDATABASE"));
+
+  conn = PQconnectdb(conninfo);
+
+  if (PQstatus(conn) != CONNECTION_OK)
+  {
+    fprintf(stderr, "Connection to database failed: %s", PQerrorMessage(conn));
+	exitNicely(conn);
+  }
+
+  querydata = getenv("QUERY_DATA");
+  // deliberately allow for SQL injection
+  sprintf(query, "select * from doip where comment = '%s';", querydata);
+  fprintf(stdout, "issuing query: %s\n", query);
+
+  // force signatures to contain the letter o,r,a,n,d to make sure
+  // we don't allow AND OR to be made up of single letters
+  sprintf(bogus,"o");
+  sprintf(&bogus[1],"r");
+  sprintf(&bogus[2],"=");
+  sprintf(&bogus[3],";");
+  sprintf(&bogus[4],"-");
+  sprintf(&bogus[5],"a");
+  sprintf(&bogus[6],"n");
+  sprintf(&bogus[7],"d");
+
+  // play with uppercase in SQL instructions (SQL is case insensitive)
+  query[0]='S';
+  query[2]='L';
+  res = PQexec(conn, query);
+  if (PQresultStatus(res) == PGRES_TUPLES_OK)
+  {
+    fprintf(stderr, "-------------------------------------------\n");
+    fprintf(stderr, "\tQuery success: %s\n", query);
+    fprintf(stderr, "-------------------------------------------\n");
+  }
+  else
+  {
+    fprintf(stderr, "-------------------------------------------\n");
+    fprintf(stderr, "\tQuery failed: %s\n", query);
+    fprintf(stderr, "-------------------------------------------\n");
+  }
+
+  PQclear(res);
+
+  PQfinish(conn);
+
+  return 0;
+}