From 09315dfb281caf9197aa8f993d41e6cbb0382e82 Mon Sep 17 00:00:00 2001 From: Aleisha Amohia Date: Mon, 29 Jul 2024 03:53:06 +0000 Subject: [PATCH] Bug 37508: Throw error if password column is detected in SQL report This enhancement prevents SQL queries from being run if they would return a password field from the database table. To test: 1. Run tests and notice they fail t/db_dependent/Reports/Guided.t 2. Apply patch and restart services 3. Create a public report with an SQL report which would access a password column in a database table 4. Try to run the report. Notice you are met with an error and the results are not shown. 5. Access the JSON URL, you should not get the results and should be shown an error 6. Confirm tests pass t/db_dependent/Reports/Guided.t Sponsored-by: Reserve Bank of New Zealand Signed-off-by: David Cook Signed-off-by: Marcel de Rooy Signed-off-by: Tomas Cohen Arazi --- C4/Reports/Guided.pm | 6 ++++ .../modules/reports/guided_reports_start.tt | 4 +++ svc/report | 7 ++--- t/db_dependent/Reports/Guided.t | 30 ++++++++++++++++++- 4 files changed, 42 insertions(+), 5 deletions(-) diff --git a/C4/Reports/Guided.pm b/C4/Reports/Guided.pm index cbbc1a6f88..986680783c 100644 --- a/C4/Reports/Guided.pm +++ b/C4/Reports/Guided.pm @@ -615,6 +615,12 @@ sub execute_query { }; warn $@ if $@; + foreach my $column ( @{ $sth->{NAME_lc} } ) { + if ( $column eq 'password' ) { + return ( $sth, { passworderr => $column } ); + } + } + return ( $sth, { queryerr => $sth->errstr } ) if ($sth->err); return ( $sth ); } diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/reports/guided_reports_start.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/reports/guided_reports_start.tt index cae344a322..dad632a6de 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/reports/guided_reports_start.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/reports/guided_reports_start.tt @@ -1375,6 +1375,10 @@ [% error.queryerr | html %]
Please check the log for further details. [% ELSIF ( error.cache_expiry ) %] Please select a cache expiry less than 30 days. + [% ELSIF ( error.passworderr ) %] + The column selection in this report includes a password field.
+ The report cannot be executed due to security risks.
+ Please edit this report and ensure no password columns have been selected. [% ELSE %] [% END %]
diff --git a/svc/report b/svc/report index 5d91494f93..a6bea3d320 100755 --- a/svc/report +++ b/svc/report @@ -76,7 +76,9 @@ unless ($json_text) { report_id => $report_id, } ); - if ($sth) { + if ($errors) { + $json_text = encode_json($errors); + } else { my $lines; if ($report_annotation) { $lines = $sth->fetchall_arrayref({}); @@ -90,9 +92,6 @@ unless ($json_text) { $cache->set_in_cache( $cache_key, $json_text, { expiry => $report_rec->cache_expiry } ); } } - else { - $json_text = encode_json($errors); - } } print $query->header( diff --git a/t/db_dependent/Reports/Guided.t b/t/db_dependent/Reports/Guided.t index 6fda469ba0..0db1a6295b 100755 --- a/t/db_dependent/Reports/Guided.t +++ b/t/db_dependent/Reports/Guided.t @@ -18,7 +18,7 @@ use Modern::Perl; -use Test::More tests => 11; +use Test::More tests => 12; use Test::Warn; use t::lib::TestBuilder; @@ -499,6 +499,34 @@ subtest 'nb_rows() tests' => sub { $schema->storage->txn_rollback; }; +subtest 'Returning passwords tests' => sub { + + plan tests => 3; + + my $dbh = C4::Context->dbh; + $schema->storage->txn_begin; + + my $query = q{ SELECT * FROM borrowers }; + + my ( $sth, $errors ) = execute_query( { sql => $query } ); + + is( defined($errors), 1, 'Query returns password field' ); + + $query = q{ SELECT * FROM z3950servers }; + + ( $sth, $errors ) = execute_query( { sql => $query } ); + + is( defined($errors), 1, 'Query returns password field' ); + + $query = q{ SELECT password FROM deletedborrowers }; + + ( $sth, $errors ) = execute_query( { sql => $query } ); + + is( defined($errors), 1, 'Query returns password field' ); + + $schema->storage->txn_rollback; +}; + sub trim { my ($s) = @_; $s =~ s/^\s*(.*?)\s*$/$1/s; -- 2.39.5