2021-04-28 16:49:39 +02:00
Some Oracle packages contain powerful SYS-owned functions that can be used to perform malicious operations. For instance, ``++DBMS_SYS_SQL.PARSE_AS_USER++`` can be used to execute a statement as another user.
Most programs do not need those functions and this rule helps identify them in order to prevent security risks.
2021-04-28 18:08:03 +02:00
2021-04-28 16:49:39 +02:00
== Noncompliant Code Example
2022-02-04 17:28:24 +01:00
[source,sql]
2021-04-28 16:49:39 +02:00
----
DECLARE
c INTEGER;
sqltext VARCHAR2(100) := 'ALTER USER system IDENTIFIED BY hacker'; -- Might be injected by the user
BEGIN
c := SYS.DBMS_SYS_SQL.OPEN_CURSOR(); -- Noncompliant
-- Will change 'system' user's password to 'hacker'
SYS.DBMS_SYS_SQL.PARSE_AS_USER(c, sqltext, DBMS_SQL.NATIVE, UID); -- Non-Compliant
SYS.DBMS_SYS_SQL.CLOSE_CURSOR(c); -- Noncompliant
END;
/
----
2021-04-28 18:08:03 +02:00
2021-04-28 16:49:39 +02:00
== See
2022-02-10 09:11:45 +01:00
* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design
2021-04-28 16:49:39 +02:00
* https://cwe.mitre.org/data/definitions/269.html[MITRE, CWE-269] - Improper Privilege Management
* https://cwe.mitre.org/data/definitions/270.html[MITRE, CWE-270] - Privilege Context Switching Error
2021-04-28 18:08:03 +02:00
2021-06-02 20:44:38 +02:00
2021-06-03 09:05:38 +02:00
ifdef::env-github,rspecator-view[]
2021-09-20 15:38:42 +02:00
'''
== Implementation Specification
(visible only on this page)
include::message.adoc[]
include::parameters.adoc[]
2021-06-08 15:52:13 +02:00
'''
2021-06-02 20:44:38 +02:00
== Comments And Links
(visible only on this page)
include::comments-and-links.adoc[]
2021-06-03 09:05:38 +02:00
endif::env-github,rspecator-view[]
