orthanc: OrthancServer/Database/SQLiteDatabaseWrapper.cpp comparison

enforcing SQLiteDatabaseWrapper::GetTableRecordCount() against SQL injection

author	Sebastien Jodogne <s.jodogne@gmail.com>
date	Fri, 03 Apr 2020 14:47:37 +0200
parents	2a170a8f1faf
children	100fbe970762

comparison

equal deleted inserted replaced

-:7f083dfae62b
+:2bf30ef727e3
 }
 int64_t SQLiteDatabaseWrapper::GetTableRecordCount(const std::string& table)
 {
-char buf[128];
+/**
-sprintf(buf, "SELECT COUNT(*) FROM %s", table.c_str());
+* "Generally one cannot use SQL parameters/placeholders for
-SQLite::Statement s(db_, buf);
+* database identifiers (tables, columns, views, schemas, etc.) or
+* database functions (e.g., CURRENT_DATE), but instead only for
-if (!s.Step())
+* binding literal values." => To avoid any SQL injection, we
+* check that the "table" parameter has only alphabetic
+* characters.
+* https://stackoverflow.com/a/1274764/881731
+**/
+for (size_t i = 0; i < table.size(); i++)
+{
+if (!isalpha(table[i]))
+{
+throw OrthancException(ErrorCode_ParameterOutOfRange);
+}
+}
+// Don't use "SQLITE_FROM_HERE", otherwise "table" would be cached
+SQLite::Statement s(db_, "SELECT COUNT(*) FROM " + table);
+if (s.Step())
+{
+int64_t c = s.ColumnInt(0);
+assert(!s.Step());
+return c;
+}
+else
 {
 throw OrthancException(ErrorCode_InternalError);
 }
-int64_t c = s.ColumnInt(0);
-assert(!s.Step());
-return c;
 }
 SQLiteDatabaseWrapper::SQLiteDatabaseWrapper(const std::string& path) :
 listener_(NULL),

Mercurial > hg > orthanc