rspec/rules/S1057/plsql/rule.adoc

Some Oracle packages contain powerful SYS-owned functions that can be used to perform malicious operations. For instance, ``++DBMS_SYS_SQL.PARSE_AS_USER++`` can be used to execute a statement as another user.


Most programs do not need those functions and this rule helps identify them in order to prevent security risks.


== Noncompliant Code Example

----
DECLARE
  c INTEGER;
  sqltext VARCHAR2(100) := 'ALTER USER system IDENTIFIED BY hacker'; -- Might be injected by the user
BEGIN
  c := SYS.DBMS_SYS_SQL.OPEN_CURSOR();                               -- Noncompliant

   -- Will change 'system' user's password to 'hacker'
  SYS.DBMS_SYS_SQL.PARSE_AS_USER(c, sqltext, DBMS_SQL.NATIVE, UID);  -- Non-Compliant

  SYS.DBMS_SYS_SQL.CLOSE_CURSOR(c);                                  -- Noncompliant
END;
/
----


== See

* https://cwe.mitre.org/data/definitions/269.html[MITRE, CWE-269] - Improper Privilege Management
* https://cwe.mitre.org/data/definitions/270.html[MITRE, CWE-270] - Privilege Context Switching Error


ifdef::rspecator-view[]
== Comments And Links
(visible only on this page)

include::comments-and-links.adoc[]
endif::rspecator-view[]
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			Some Oracle packages contain powerful SYS-owned functions that can be used to perform malicious operations. For instance, ``++DBMS_SYS_SQL.PARSE_AS_USER++`` can be used to execute a statement as another user.


			`Most programs do not need those functions and this rule helps identify them in order to prevent security risks.`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Noncompliant Code Example`

			`----`
			`DECLARE`
			`c INTEGER;`
			`sqltext VARCHAR2(100) := 'ALTER USER system IDENTIFIED BY hacker'; -- Might be injected by the user`
			`BEGIN`
			`c := SYS.DBMS_SYS_SQL.OPEN_CURSOR(); -- Noncompliant`

			`-- Will change 'system' user's password to 'hacker'`
			`SYS.DBMS_SYS_SQL.PARSE_AS_USER(c, sqltext, DBMS_SQL.NATIVE, UID); -- Non-Compliant`

			`SYS.DBMS_SYS_SQL.CLOSE_CURSOR(c); -- Noncompliant`
			`END;`
			`/`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== See`

			`* https://cwe.mitre.org/data/definitions/269.html[MITRE, CWE-269] - Improper Privilege Management`
			`* https://cwe.mitre.org/data/definitions/270.html[MITRE, CWE-270] - Privilege Context Switching Error`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
			`ifdef::rspecator-view[]`
			`== Comments And Links`
			`(visible only on this page)`

			`include::comments-and-links.adoc[]`
			`endif::rspecator-view[]`