From 0fb0a51a7b14a220bb258abcef57563d95056c2c Mon Sep 17 00:00:00 2001
From: an7s <an7s@git.zephyr-software.com>
Date: Thu, 20 Jun 2013 14:40:32 +0000
Subject: [PATCH] Modified tests to take query data from an environment
variable Tests to make sure that vetted tokens come from a single signature
Former-commit-id: e532126bf0874cca10852870ace8518b4482890d
---
.gitattributes | 2 +
appfw/tests/postgres/Makefile | 22 ++-
appfw/tests/postgres/postgres.test.env.sh | 160 ++++++++++++++++++++++
appfw/tests/postgres/testpg1.env.c | 68 +++++++++
4 files changed, 247 insertions(+), 5 deletions(-)
create mode 100755 appfw/tests/postgres/postgres.test.env.sh
create mode 100644 appfw/tests/postgres/testpg1.env.c
diff --git a/.gitattributes b/.gitattributes
index 4e57ab464..fdf365e00 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -124,10 +124,12 @@ appfw/tests/oscommand/Makefile -text
appfw/tests/oscommand/dotest.sh -text
appfw/tests/oscommand/testosc.c -text
appfw/tests/postgres/Makefile -text
+appfw/tests/postgres/postgres.test.env.sh -text
appfw/tests/postgres/postgres.test.sh -text
appfw/tests/postgres/setup.sql -text
appfw/tests/postgres/teardown.sql -text
appfw/tests/postgres/testpg1.c -text
+appfw/tests/postgres/testpg1.env.c -text
appfw/tests/postgres/testpg2.c -text
appfw/tests/postgres/testpg3.c -text
appfw/tests/postgres/testpg4.c -text
diff --git a/appfw/tests/postgres/Makefile b/appfw/tests/postgres/Makefile
index d98f928cf..6a9f1bfe2 100644
--- a/appfw/tests/postgres/Makefile
+++ b/appfw/tests/postgres/Makefile
@@ -3,10 +3,14 @@ APPFW_LIB=$(SECURITY_TRANSFORMS_HOME)/appfw/lib/libappfw.so
generate_signatures=$(PEASOUP_HOME)/tools/generate_string_signatures.sh
all: testpg1.exe testpg2.exe testpg3.exe testpg4.exe
+all.env: testpg1.env.exe
testpg1.o: testpg1.c
gcc -I/usr/include/postgresql -c testpg1.c
+testpg1.env.o: testpg1.env.c
+ gcc -I/usr/include/postgresql -c testpg1.env.c
+
testpg2.o: testpg2.c
gcc -I/usr/include/postgresql -c testpg2.c
@@ -20,6 +24,10 @@ testpg1.exe: testpg1.o
gcc testpg1.o -o testpg1.exe -lpq
$(generate_signatures) testpg1.exe
+testpg1.env.exe: testpg1.env.o
+ gcc testpg1.env.o -o testpg1.env.exe -lpq
+ $(generate_signatures) testpg1.env.exe
+
testpg2.exe: testpg2.o
gcc testpg2.o -o testpg2.exe -lpq
$(generate_signatures) testpg2.exe
@@ -36,14 +44,18 @@ clean:
rm -rf *.o *.tmp *.exe peasoup_executable_directory* test*.peasoup messages_to_tne.log ps_tne_logfile.txt testpg*.exe.sigs appfw.db
peasoup: all
- APPFW_VERBOSE=1 $(PEASOUP_HOME)/tools/ps_analyze.sh testpg1.exe testpg1.exe.peasoup --step concolic=off --step integertransform=off --step p1transform=off
- $(PEASOUP_HOME)/tools/ps_analyze.sh testpg2.exe testpg2.exe.peasoup --step concolic=off --step integertransform=off --step p1transform=off
- $(PEASOUP_HOME)/tools/ps_analyze.sh testpg3.exe testpg3.exe.peasoup --step concolic=off --step integertransform=off --step p1transform=off
- $(PEASOUP_HOME)/tools/ps_analyze.sh testpg4.exe testpg4.exe.peasoup --step concolic=off --step integertransform=off --step p1transform=off
+ $(PEASOUP_HOME)/tools/ps_analyze.sh testpg1.exe testpg1.exe.peasoup --step concolic=off --step integertransform=off --step p1transform=off --step ilr=off --step determine_program=off
+ $(PEASOUP_HOME)/tools/ps_analyze.sh testpg2.exe testpg2.exe.peasoup --step concolic=off --step integertransform=off --step p1transform=off --step ilr=off --step determine_program=off
+ $(PEASOUP_HOME)/tools/ps_analyze.sh testpg3.exe testpg3.exe.peasoup --step concolic=off --step integertransform=off --step p1transform=off --step ilr=off --step determine_program=off
+ $(PEASOUP_HOME)/tools/ps_analyze.sh testpg4.exe testpg4.exe.peasoup --step concolic=off --step integertransform=off --step p1transform=off --step ilr=off --step determine_program=off
+peasoup.env: all.env
+ $(PEASOUP_HOME)/tools/ps_analyze.sh testpg1.env.exe testpg1.exe.env.peasoup --step concolic=off --step integertransform=off --step p1transform=off --step ilr=off --step determine_program=off
+
run: all
# LD_PRELOAD=$(APPFW_LIB) APPFW_DB=appfw.db APPFW_SIGNATURE_FILE=testpg4.exe.sigs ./testpg4.exe "bob"
# LD_PRELOAD=$(APPFW_LIB) APPFW_DB=appfw.db APPFW_SIGNATURE_FILE=testpg3.exe.sigs ./testpg3.exe "select * from xyz;"
# LD_PRELOAD=$(APPFW_LIB) APPFW_DB=appfw.db APPFW_SIGNATURE_FILE=testpg3.exe.sigs ./testpg3.exe "' or 1=1; --"
- LD_PRELOAD=$(APPFW_LIB) APPFW_DB=appfw.db APPFW_SIGNATURE_FILE=testpg1.exe.sigs ./testpg1.exe "' or 1 = 1; --"
+# LD_PRELOAD=$(APPFW_LIB) APPFW_DB=appfw.db APPFW_SIGNATURE_FILE=testpg1.exe.sigs ./testpg1.exe "' or 1 = 1; --"
+ QUERY_DATA="' or 1 = 1; -- " LD_PRELOAD=$(APPFW_LIB) APPFW_DB=appfw.db APPFW_SIGNATURE_FILE=testpg1.env.exe.sigs ./testpg1.env.exe
# LD_PRELOAD=$(APPFW_LIB) APPFW_DB=appfw.db APPFW_SIGNATURE_FILE=testpg2.exe.sigs ./testpg2.exe "' or 1=1; --"
diff --git a/appfw/tests/postgres/postgres.test.env.sh b/appfw/tests/postgres/postgres.test.env.sh
new file mode 100755
index 000000000..5cb5d9892
--- /dev/null
+++ b/appfw/tests/postgres/postgres.test.env.sh
@@ -0,0 +1,160 @@
+#!/bin/sh -x
+
+# Assumptions:
+# $1 is the full pathname to output file
+
+# For PEASOUP, Required XML fields are
+# name - name of the test
+# host - name of the host where the test was run
+# project - project name
+# date_time - date time in specific format date +%FT%R:%S
+# key_value pairs, any number
+# may include result, user, host platform, build platform
+
+# Fixed attributes
+# ATTRIBUTE ModDep=strata
+# ATTRIBUTE ModDep=diablo_toolchain
+# ATTRIBUTE ModDep=stratafier
+# ATTRIBUTE ModDep=idapro61
+# ATTRIBUTE ModDep=idapro61_sdk
+# ATTRIBUTE TestsWhat=lang_C
+# ATTRIBUTE TestsWhat=strata
+# ATTRIBUTE TestsWhat=commandinjection
+# ATTRIBUTE TestsWhat=peasoup_end2end
+# ATTRIBUTE OS=linux
+# ATTRIBUTE Compiler=gcc
+# ATTRIBUTE Arch=x86_32
+
+# ATTRIBUTE TestName=postgres_via_env
+# ATTRIBUTE BenchmarkName=TandE
+# ATTRIBUTE CompilerFlags="-w"
+
+COMPFLAGS="-w"
+
+PWD=`pwd`
+TESTLOC="${PWD}"
+tmp=$$.tmp
+
+outfile=$1
+
+cleanup()
+{
+ exit_code=$1
+ shift
+ msg=$*
+
+ if [ $exit_code -eq 0 ]; then
+ report_test_success $outfile "$msg"
+ else
+ report_test_failure $outfile "Intermediate step failed, exit code is $exit_code, msg='$msg'"
+ fi
+
+# cd $TESTLOC
+# rm -f $tmp 2>/dev/null
+# make clean
+# cd -
+
+ exit $exit_code
+}
+
+# suck in utils
+. ${TEST_HARNESS_HOME}/test_utils.sh || cleanup 1 "Cannot source utils file"
+
+assert_test_args $*
+assert_test_env $outfile STRATAFIER STRATA TOOLCHAIN IDAROOT IDASDK PEASOUP_HOME SECURITY_TRANSFORMS_HOME
+
+# path to source
+cd $TESTLOC
+make clean peasoup.env
+if [ ! $? -eq 0 ]; then
+ cleanup 1 "Failed to build postgres tests"
+fi
+
+
+#
+# testpg1.exe.env.peasoup
+#
+
+# test good queries
+rm -f $tmp 2>/dev/null
+QUERY_DATA="bob" ./testpg1.exe.env.peasoup > $tmp 2>&1
+grep -i query $tmp | grep -i success
+if [ ! $? -eq 0 ]; then
+ cat $tmp
+ cleanup 2 "False positive detected: query for testpg1.exe.env.peasoup should have succeeded"
+fi
+
+rm -f $tmp
+QUERY_DATA="select * from xyz" ./testpg1.exe.env.peasoup > $tmp 2>&1
+grep -i query $tmp | grep -i success
+if [ ! $? -eq 0 ]; then
+ cat $tmp
+ cleanup 3 "False positive detected: query for testpg1.exe.env.peasoup should have succeeded"
+fi
+
+# test attack queries
+rm -f $tmp
+QUERY_DATA="' or 1 = 1;--" ./testpg1.exe.env.peasoup > $tmp 2>&1
+grep -i "sql injection" $tmp | grep -i detected
+if [ ! $? -eq 0 ]; then
+ cat $tmp
+ cleanup 4 "False negative detected: attack query for testpg1.exe.env.peasoup should have been detected"
+fi
+
+rm -f $tmp
+QUERY_DATA="' and /* */ 1 = 1 /* */; /*--*/" ./testpg1.exe.env.peasoup > $tmp 2>&1
+grep -i "sql injection" $tmp | grep -i detected
+if [ ! $? -eq 0 ]; then
+ cat $tmp
+ cleanup 5 "False negative detected: attack query for testpg1.exe.env.peasoup should have been detected"
+fi
+
+rm -f $tmp
+QUERY_DATA="%' or 1 = 1; -- select *" ./testpg1.exe.env.peasoup > $tmp 2>&1
+grep -i "sql injection" $tmp | grep -i detected
+if [ ! $? -eq 0 ]; then
+ cat $tmp
+ cleanup 6 "False negative detected: attack query for testpg1.exe.env.peasoup should have been detected"
+fi
+
+psql -f ./teardown.sql
+cleanup 0 "Successfully detected Postgres SQL Injection"
+
+#
+# testpg2.exe.env.peasoup
+#
+psql -f ./teardown.sql 2>/dev/null # in case we have remnmants from a previous testing run
+psql -f ./setup.sql
+
+# good query
+rm -f $tmp
+./testpg2.exe.env.peasoup David > $tmp 2>&1
+grep -i "David Hyde" $tmp
+if [ ! $? -eq 0 ]; then
+ cat $tmp
+ cleanup 7 "False positive detected: query for testpg2.exe.env.peasoup should have succeeded"
+fi
+
+# attack query
+rm -f $tmp
+./testpg2.exe "David' or '0'='0" > $tmp 2>&1
+grep -i William $tmp
+if [ ! $? -eq 0 ]; then
+ cat $tmp
+ cleanup 7 "False negative detected: attack query for testpg2.exe.env.peasoup should have failed"
+fi
+
+#
+# testpg4.exe.env.peasoup
+# test multi-statement queries
+#
+rm -f $tmp
+./testpg4.exe.env.peasoup "bob" > $tmp 2>&1
+grep -i "sql injection" $tmp | grep -i detected
+if [ $? -eq 0 ]; then
+ cat $tmp
+ cleanup 8 "False positive detected: there should be no SQL injections here"
+fi
+
+psql -f ./teardown.sql
+cleanup 0 "Successfully detected Postgres SQL Injection"
diff --git a/appfw/tests/postgres/testpg1.env.c b/appfw/tests/postgres/testpg1.env.c
new file mode 100644
index 000000000..1c7d71300
--- /dev/null
+++ b/appfw/tests/postgres/testpg1.env.c
@@ -0,0 +1,68 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include "libpq-fe.h"
+
+void exitNicely(PGconn *p_conn)
+{
+ PQfinish(p_conn);
+ exit(1);
+}
+
+int main(int argc, char **argv)
+{
+ char conninfo[1024];
+ char query[1024];
+ char *querydata;
+ char bogus[1024];
+ PGconn *conn;
+ PGresult *res;
+
+ sprintf(conninfo, "dbname = %s", getenv("PGDATABASE"));
+
+ conn = PQconnectdb(conninfo);
+
+ if (PQstatus(conn) != CONNECTION_OK)
+ {
+ fprintf(stderr, "Connection to database failed: %s", PQerrorMessage(conn));
+ exitNicely(conn);
+ }
+
+ querydata = getenv("QUERY_DATA");
+ // deliberately allow for SQL injection
+ sprintf(query, "select * from doip where comment = '%s';", querydata);
+ fprintf(stdout, "issuing query: %s\n", query);
+
+ // force signatures to contain the letter o,r,a,n,d to make sure
+ // we don't allow AND OR to be made up of single letters
+ sprintf(bogus,"o");
+ sprintf(&bogus[1],"r");
+ sprintf(&bogus[2],"=");
+ sprintf(&bogus[3],";");
+ sprintf(&bogus[4],"-");
+ sprintf(&bogus[5],"a");
+ sprintf(&bogus[6],"n");
+ sprintf(&bogus[7],"d");
+
+ // play with uppercase in SQL instructions (SQL is case insensitive)
+ query[0]='S';
+ query[2]='L';
+ res = PQexec(conn, query);
+ if (PQresultStatus(res) == PGRES_TUPLES_OK)
+ {
+ fprintf(stderr, "-------------------------------------------\n");
+ fprintf(stderr, "\tQuery success: %s\n", query);
+ fprintf(stderr, "-------------------------------------------\n");
+ }
+ else
+ {
+ fprintf(stderr, "-------------------------------------------\n");
+ fprintf(stderr, "\tQuery failed: %s\n", query);
+ fprintf(stderr, "-------------------------------------------\n");
+ }
+
+ PQclear(res);
+
+ PQfinish(conn);
+
+ return 0;
+}
--
GitLab