Bug 37508: Throw error if password column is detected in SQL report

This enhancement prevents SQL queries from being run if they would return a password field from the database table.

To test:

1. Run tests and notice they fail t/db_dependent/Reports/Guided.t

2. Apply patch and restart services

3. Create a public report with an SQL report which would access a password column in a database table
4. Try to run the report. Notice you are met with an error and the results are not shown.
5. Access the JSON URL, you should not get the results and should be shown an error
6. Confirm tests pass t/db_dependent/Reports/Guided.t

Sponsored-by: Reserve Bank of New Zealand
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This commit is contained in:
Aleisha Amohia 2024-07-29 03:53:06 +00:00 committed by Tomas Cohen Arazi
parent b45f0e9978
commit 73880de0c4
Signed by: tomascohen
GPG key ID: 0A272EA1B2F3C15F
4 changed files with 42 additions and 5 deletions

View file

@ -615,6 +615,12 @@ sub execute_query {
};
warn $@ if $@;
foreach my $column ( @{ $sth->{NAME_lc} } ) {
if ( $column eq 'password' ) {
return ( $sth, { passworderr => $column } );
}
}
return ( $sth, { queryerr => $sth->errstr } ) if ($sth->err);
return ( $sth );
}

View file

@ -1381,6 +1381,10 @@
[% error.queryerr | html %]<br />Please check the log for further details.
[% ELSIF ( error.cache_expiry ) %]
Please select a cache expiry less than 30 days.
[% ELSIF ( error.passworderr ) %]
The column selection in this report includes a password field.<br>
The report cannot be executed due to security risks.<br>
Please edit this report and ensure no password columns have been selected.
[% ELSE %]
[% END %]
<div id="onerror_actions">

View file

@ -76,7 +76,9 @@ unless ($json_text) {
report_id => $report_id,
}
);
if ($sth) {
if ($errors) {
$json_text = encode_json($errors);
} else {
my $lines;
if ($report_annotation) {
$lines = $sth->fetchall_arrayref({});
@ -90,9 +92,6 @@ unless ($json_text) {
$cache->set_in_cache( $cache_key, $json_text, { expiry => $report_rec->cache_expiry } );
}
}
else {
$json_text = encode_json($errors);
}
}
print $query->header(

View file

@ -18,7 +18,7 @@
use Modern::Perl;
use Test::More tests => 11;
use Test::More tests => 12;
use Test::Warn;
use t::lib::TestBuilder;
@ -499,6 +499,34 @@ subtest 'nb_rows() tests' => sub {
$schema->storage->txn_rollback;
};
subtest 'Returning passwords tests' => sub {
plan tests => 3;
my $dbh = C4::Context->dbh;
$schema->storage->txn_begin;
my $query = q{ SELECT * FROM borrowers };
my ( $sth, $errors ) = execute_query( { sql => $query } );
is( defined($errors), 1, 'Query returns password field' );
$query = q{ SELECT * FROM z3950servers };
( $sth, $errors ) = execute_query( { sql => $query } );
is( defined($errors), 1, 'Query returns password field' );
$query = q{ SELECT password FROM deletedborrowers };
( $sth, $errors ) = execute_query( { sql => $query } );
is( defined($errors), 1, 'Query returns password field' );
$schema->storage->txn_rollback;
};
sub trim {
my ($s) = @_;
$s =~ s/^\s*(.*?)\s*$/$1/s;