rspec/rules/S1523/plsql/rule.adoc

Executing code dynamically is security sensitive. It has led in the past to the following vulnerabilities:

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9807[CVE-2017-9807]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9802[CVE-2017-9802]

Any code which is dynamically evaluated in your process will have the same permissions as the rest of your code. Thus it is very dangerous to do so with code coming from an untrusted source. https://owasp.org/www-community/attacks/Code_Injection[Injected Code] can either run on the server or in the client (exemple: XSS attack).


``++EXECUTE IMMEDIATE++`` executes as a dynamic SQL statement or anonymous PL/SQL block the string passed as an argument. It's safe only if the argument is composed of constant character string expressions. But if the command string is dynamically built using external parameters, then it is considered very dangerous because executing a random string allows the execution of arbitrary code. 


This rule marks for review each occurence of dynamic code execution.

include::../ask-yourself.adoc[]

== Recommended Secure Coding Practices

The best solution is to not run code provided by an untrusted source. If you really need to build a command string using external parameters, you should use ``++EXECUTE IMMEDIATE++`` with bind variables instead.


Do not try to create a blacklist of dangerous code. It is impossible to cover all attacks that way.

== Sensitive Code Example

----
CREATE OR REPLACE PROCEDURE ckpwd (p_user IN VARCHAR2, p_pass IN VARCHAR2) 
IS
 v_query  VARCHAR2(100);
 v_output NUMBER;
BEGIN
 v_query :=    q'{SELECT COUNT(*) FROM user_pwd }'
         ||    q'{WHERE username = '}'
         ||    p_user
         ||    q'{' AND password = '}'
         ||    p_pass
         ||    q'{'}';
 EXECUTE IMMEDIATE v_query 
  INTO v_output;
END;
----

== Compliant Solution

[source,sql]
----
CREATE OR REPLACE PROCEDURE ckpwd_bind (p_user IN VARCHAR2, p_pass IN VARCHAR2) 
IS
 v_query  VARCHAR2(100);
 v_output NUMBER;
BEGIN
 v_query := 
   q'{SELECT COUNT(*) FROM user_pwd WHERE username = :1 AND password = :2}';
 EXECUTE IMMEDIATE v_query 
  INTO v_output
  USING p_user, p_pass;
END;
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]
Add rules 1000-1999 2020-06-30 12:47:33 +02:00			`Executing code dynamically is security sensitive. It has led in the past to the following vulnerabilities:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 1000-1999 2020-06-30 12:47:33 +02:00			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9807[CVE-2017-9807]`
			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9802[CVE-2017-9802]`

Modify: Fix old/broken embedded links (#1100) 2022-07-08 13:58:56 +02:00			`Any code which is dynamically evaluated in your process will have the same permissions as the rest of your code. Thus it is very dangerous to do so with code coming from an untrusted source. https://owasp.org/www-community/attacks/Code_Injection[Injected Code] can either run on the server or in the client (exemple: XSS attack).`
Add rules 1000-1999 2020-06-30 12:47:33 +02:00
Force linebreaks 2021-02-02 15:02:10 +01:00
make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			``++EXECUTE IMMEDIATE++`` executes as a dynamic SQL statement or anonymous PL/SQL block the string passed as an argument. It's safe only if the argument is composed of constant character string expressions. But if the command string is dynamically built using external parameters, then it is considered very dangerous because executing a random string allows the execution of arbitrary code.
Add rules 1000-1999 2020-06-30 12:47:33 +02:00
Force linebreaks 2021-02-02 15:02:10 +01:00
Add rules 1000-1999 2020-06-30 12:47:33 +02:00			`This rule marks for review each occurence of dynamic code execution.`

			`include::../ask-yourself.adoc[]`

			`== Recommended Secure Coding Practices`

make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			The best solution is to not run code provided by an untrusted source. If you really need to build a command string using external parameters, you should use ``++EXECUTE IMMEDIATE++`` with bind variables instead.
Add rules 1000-1999 2020-06-30 12:47:33 +02:00
Force linebreaks 2021-02-02 15:02:10 +01:00
Add rules 1000-1999 2020-06-30 12:47:33 +02:00			`Do not try to create a blacklist of dangerous code. It is impossible to cover all attacks that way.`

			`== Sensitive Code Example`

			`----`
			`CREATE OR REPLACE PROCEDURE ckpwd (p_user IN VARCHAR2, p_pass IN VARCHAR2)`
			`IS`
			`v_query VARCHAR2(100);`
			`v_output NUMBER;`
			`BEGIN`
			`v_query := q'{SELECT COUNT(*) FROM user_pwd }'`
			`\|\| q'{WHERE username = '}'`
			`\|\| p_user`
			`\|\| q'{' AND password = '}'`
			`\|\| p_pass`
			`\|\| q'{'}';`
			`EXECUTE IMMEDIATE v_query`
			`INTO v_output;`
			`END;`
			`----`

			`== Compliant Solution`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,sql]`
Add rules 1000-1999 2020-06-30 12:47:33 +02:00			`----`
			`CREATE OR REPLACE PROCEDURE ckpwd_bind (p_user IN VARCHAR2, p_pass IN VARCHAR2)`
			`IS`
			`v_query VARCHAR2(100);`
			`v_output NUMBER;`
			`BEGIN`
			`v_query :=`
			`q'{SELECT COUNT(*) FROM user_pwd WHERE username = :1 AND password = :2}';`
			`EXECUTE IMMEDIATE v_query`
			`INTO v_output`
			`USING p_user, p_pass;`
			`END;`
			`----`

			`include::../see.adoc[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::../comments-and-links.adoc[]`
Make sure that includes are always surrounded by empty lines (#2270) When an include is not surrounded by empty lines, its content is inlined on the same line as the adjacent content. That can lead to broken tags and other display issues. This PR fixes all such includes and introduces a validation step that forbids introducing the same problem again. 2023-06-22 10:38:01 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`