luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Remove fmt strings and replace with inline queries (#13799) 

* removed fmt strings and replaced with inline SQL | added unit tests

* changelog++
This commit is contained in:
Gary Frederick 2022-01-27 15:20:13 -08:00 committed by GitHub
parent 86175b2e82
commit ff7a08c364
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 77 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
changelog/13799.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:security
database/mssql: Removed string interpolation on internal queries and replaced them with inline queries using named parameters.
```

34
plugins/database/mssql/mssql.go
View File

@ -216,24 +216,32 @@ func (m *MSSQL) revokeUserDefault(ctx context.Context, username string) error {
// Check if DB is contained // Check if DB is contained
if m.containedDB { if m.containedDB {
revokeStmt, err := db.PrepareContext(ctx, fmt.Sprintf("DROP USER IF EXISTS [%s]", username)) revokeQuery :=
`DECLARE @stmt nvarchar(max);
SET @stmt = 'DROP USER IF EXISTS ' + QuoteName(@username);
EXEC(@stmt);`
revokeStmt, err := db.PrepareContext(ctx, revokeQuery)
if err != nil { if err != nil {
return err return err
} }
defer revokeStmt.Close() defer revokeStmt.Close()
if _, err := revokeStmt.ExecContext(ctx); err != nil { if _, err := revokeStmt.ExecContext(ctx, sql.Named("username", username)); err != nil {
return err return err
} }
return nil return nil
} }
// First disable server login // First disable server login
disableStmt, err := db.PrepareContext(ctx, fmt.Sprintf("ALTER LOGIN [%s] DISABLE;", username)) disableQuery :=
`DECLARE @stmt nvarchar(max);
SET @stmt = 'ALTER LOGIN ' + QuoteName(@username) + ' DISABLE';
EXEC(@stmt);`
disableStmt, err := db.PrepareContext(ctx, disableQuery)
if err != nil{ if err != nil{
return err return err
} }
defer disableStmt.Close() defer disableStmt.Close()
if _, err := disableStmt.ExecContext(ctx); err != nil { if _, err := disableStmt.ExecContext(ctx, sql.Named("username", username)); err != nil {
return err return err
} }
@ -311,12 +319,12 @@ func (m *MSSQL) revokeUserDefault(ctx context.Context, username string) error {
} }
// Drop this login // Drop this login
stmt, err = db.PrepareContext(ctx, fmt.Sprintf(dropLoginSQL, username, username)) stmt, err = db.PrepareContext(ctx, dropLoginSQL)
if err != nil { if err != nil {
return err return err
} }
defer stmt.Close() defer stmt.Close()
if _, err := stmt.ExecContext(ctx); err != nil { if _, err := stmt.ExecContext(ctx, sql.Named("username", username)); err != nil {
return err return err
} }
@ -413,14 +421,12 @@ END
` `
const dropLoginSQL = ` const dropLoginSQL = `
IF EXISTS DECLARE @stmt nvarchar(max)
(SELECT name SET @stmt = 'IF EXISTS (SELECT name FROM [master].[sys].[server_principals] WHERE [name] = ' + QuoteName(@username, '''') + ') ' +
FROM master.sys.server_principals 'BEGIN ' +
WHERE name = N'%s') 'DROP LOGIN ' + QuoteName(@username) + ' ' +
BEGIN 'END'
DROP LOGIN [%s] EXEC (@stmt)`
END
`
const alterLoginSQL = ` const alterLoginSQL = `
ALTER LOGIN [{{username}}] WITH PASSWORD = '{{password}}' ALTER LOGIN [{{username}}] WITH PASSWORD = '{{password}}'

65
plugins/database/mssql/mssql_test.go
View File

@ -14,6 +14,7 @@ import (
"github.com/hashicorp/vault/sdk/database/dbplugin/v5" "github.com/hashicorp/vault/sdk/database/dbplugin/v5"
dbtesting "github.com/hashicorp/vault/sdk/database/dbplugin/v5/testing" dbtesting "github.com/hashicorp/vault/sdk/database/dbplugin/v5/testing"
"github.com/hashicorp/vault/sdk/helper/dbtxn" "github.com/hashicorp/vault/sdk/helper/dbtxn"
"github.com/stretchr/testify/assert"
) )
func TestInitialize(t *testing.T) { func TestInitialize(t *testing.T) {
@ -262,7 +263,10 @@ func TestUpdateUser_password(t *testing.T) {
dbtesting.AssertInitializeCircleCiTest(t, db, initReq) dbtesting.AssertInitializeCircleCiTest(t, db, initReq)
defer dbtesting.AssertClose(t, db) defer dbtesting.AssertClose(t, db)
createTestMSSQLUser(t, connURL, dbUser, initPassword, testMSSQLLogin) err := createTestMSSQLUser(connURL, dbUser, initPassword, testMSSQLLogin)
if err != nil {
t.Fatalf("Failed to create user: %s", err)
}
assertCredsExist(t, connURL, dbUser, initPassword) assertCredsExist(t, connURL, dbUser, initPassword)
@ -326,7 +330,10 @@ func TestDeleteUser(t *testing.T) {
dbtesting.AssertInitializeCircleCiTest(t, db, initReq) dbtesting.AssertInitializeCircleCiTest(t, db, initReq)
defer dbtesting.AssertClose(t, db) defer dbtesting.AssertClose(t, db)
createTestMSSQLUser(t, connURL, dbUser, initPassword, testMSSQLLogin) err := createTestMSSQLUser(connURL, dbUser, initPassword, testMSSQLLogin)
if err != nil {
t.Fatalf("Failed to create user: %s", err)
}
assertCredsExist(t, connURL, dbUser, initPassword) assertCredsExist(t, connURL, dbUser, initPassword)
@ -350,6 +357,44 @@ func TestDeleteUser(t *testing.T) {
assertCredsDoNotExist(t, connURL, dbUser, initPassword) assertCredsDoNotExist(t, connURL, dbUser, initPassword)
} }
func TestSQLSanitization(t *testing.T) {
cleanup, connURL := mssqlhelper.PrepareMSSQLTestContainer(t)
defer cleanup()
injectionString := "vaultuser]"
dbUser := "vaultuser"
initPassword := "p4$sw0rd"
initReq := dbplugin.InitializeRequest{
Config: map[string]interface{}{
"connection_url": connURL,
},
VerifyConnection: true,
}
db := new()
dbtesting.AssertInitializeCircleCiTest(t, db, initReq)
defer dbtesting.AssertClose(t, db)
err := createTestMSSQLUser(connURL, dbUser, initPassword, testMSSQLLogin)
if err != nil {
t.Fatalf("Failed to create user: %s", err)
}
assertCredsExist(t, connURL, dbUser, initPassword)
deleteReq := dbplugin.DeleteUserRequest{
Username: injectionString,
}
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel()
_, err = db.DeleteUser(ctx, deleteReq)
assert.EqualError(t, err, "mssql: Cannot alter the login 'vaultuser]', because it does not exist or you do not have permission.")
}
func assertCredsExist(t testing.TB, connURL, username, password string) { func assertCredsExist(t testing.TB, connURL, username, password string) {
t.Helper() t.Helper()
err := testCredsExist(connURL, username, password) err := testCredsExist(connURL, username, password)
@ -378,18 +423,18 @@ func testCredsExist(connURL, username, password string) error {
return db.Ping() return db.Ping()
} }
func createTestMSSQLUser(t *testing.T, connURL string, username, password, query string) { func createTestMSSQLUser(connURL string, username, password, query string) error {
db, err := sql.Open("mssql", connURL) db, err := sql.Open("mssql", connURL)
defer db.Close() defer db.Close()
if err != nil { if err != nil {
t.Fatal(err) return err
} }
// Start a transaction // Start a transaction
ctx := context.Background() ctx := context.Background()
tx, err := db.BeginTx(ctx, nil) tx, err := db.BeginTx(ctx, nil)
if err != nil { if err != nil {
t.Fatal(err) return err
} }
defer func() { defer func() {
_ = tx.Rollback() _ = tx.Rollback()
@ -400,12 +445,13 @@ func createTestMSSQLUser(t *testing.T, connURL string, username, password, query
"password": password, "password": password,
} }
if err := dbtxn.ExecuteTxQuery(ctx, tx, m, query); err != nil { if err := dbtxn.ExecuteTxQuery(ctx, tx, m, query); err != nil {
t.Fatal(err) return err
} }
// Commit the transaction // Commit the transaction
if err := tx.Commit(); err != nil { if err := tx.Commit(); err != nil {
t.Fatal(err) return err
} }
return nil
} }
const testMSSQLRole = ` const testMSSQLRole = `
@ -413,11 +459,6 @@ CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';
CREATE USER [{{name}}] FOR LOGIN [{{name}}]; CREATE USER [{{name}}] FOR LOGIN [{{name}}];
GRANT SELECT, INSERT, UPDATE, DELETE ON SCHEMA::dbo TO [{{name}}];` GRANT SELECT, INSERT, UPDATE, DELETE ON SCHEMA::dbo TO [{{name}}];`
const testMSSQLDrop = `
DROP USER [{{name}}];
DROP LOGIN [{{name}}];
`
const testMSSQLLogin = ` const testMSSQLLogin = `
CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}'; CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';
` `