Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix phpunit. Refused @@ char in sql.

Browse Source
This commit is contained in:
Laurent Destailleur 2021-06-25 10:47:31 +02:00
parent a4e6eb12a8
commit 46ae7180f8
2 changed files with 19 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
htdocs/main.inc.php
View File

@ -104,7 +104,7 @@ function testSqlAndScriptInject($val, $type)
$val = preg_replace('/<!--[^>]*-->/', '', $val);
$inj = 0;
// For SQL Injection (only GET are used to be included into bad escaped SQL requests)
// For SQL Injection (only GET are used to scan for such injection strings)
if ($type == 1 || $type == 3) {
$inj += preg_match('/delete\s+from/i', $val);
$inj += preg_match('/create\s+table/i', $val);
@ -114,15 +114,16 @@ function testSqlAndScriptInject($val, $type)
$inj += preg_match('/user\s*\(/i', $val); // avoid to use function user() that return current database login
$inj += preg_match('/information_schema/i', $val); // avoid to use request that read information_schema database
$inj += preg_match('/<svg/i', $val); // <svg can be allowed in POST
$inj += preg_match('/update.+set.+=/i', $val);
$inj += preg_match('/union.+select/i', $val);
}
if ($type == 3) {
$inj += preg_match('/select|update|delete|truncate|replace|group\s+by|concat|count|from|union/i', $val);
}
if ($type != 2) { // Not common key strings, so we can check them both on GET and POST
$inj += preg_match('/updatexml\(/i', $val);
$inj += preg_match('/update.+set.+=/i', $val);
$inj += preg_match('/union.+select/i', $val);
$inj += preg_match('/(\.\.%2f)+/i', $val);
$inj += preg_match('/\s@@/', $val);
}
// For XSS Injection done by closing textarea to execute content into a textarea field
$inj += preg_match('/<\/textarea/i', $val);

15
test/phpunit/SecurityTest.php
View File

@ -198,6 +198,9 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$result=testSqlAndScriptInject($test, 0);
$this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject expected 0b');
$test = 'This is the union of all for the selection of the best';
$result=testSqlAndScriptInject($test, 0);
$this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject expected 0c');
// Should detect attack
$expectedresult=1;
@ -206,6 +209,18 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$result=testSqlAndScriptInject($_SERVER["PHP_SELF"], 2);
$this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject for PHP_SELF that should detect XSS');
$test = 'select @@version';
$result=testSqlAndScriptInject($test, 0);
$this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject for SQL1a. Should find an attack on POST param and did not.');
$test = 'select @@version';
$result=testSqlAndScriptInject($test, 1);
$this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject for SQL1b. Should find an attack on GET param and did not.');
$test = '... union ... selection ';
$result=testSqlAndScriptInject($test, 1);
$this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject for SQL2. Should find an attack on GET param and did not.');
$test = 'j&#x61;vascript:';
$result=testSqlAndScriptInject($test, 0);
$this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject for javascript1. Should find an attack and did not.');