I have a scan finding and hope someone can provide any ideas as to best ways to resolve the issue. First I will show the scan Finding then my code and finally what the scanner's recommended solution is.
Finding
Without proper access control, the method GetAttributeKey() in Provider.cs can execute a SQL statement on line 163 that contains an attacker-controlled primary key, thereby allowing the attacker to access unauthorized records.
Rather than relying on the presentation layer to restrict values submitted by the user, access control should be handled by the application and database layers. Under no circumstances should a user be allowed to retrieve or modify a row in the database without the appropriate permissions. Every query that accesses the database should enforce this policy, which can often be accomplished by simply including the current authenticated username as part of the query.
My Code:
Offending line:
myParam.SqlParam.Value = attribute;
Method:
public string GetAttributeKey(string attribute)
{
string qry = "SELECT ws_attribute_key FROM webservice_attributes WHERE ws_attribute = #attribute";
QueryContainer Instance = new QueryContainer(qry);
MyParam myParam = new MyParam();
myParam.SqlParam = new SqlParameter("#attribute", Instance.AddParameterType(_DbTypes._string));
myParam.SqlParam.Value = attribute;
Instance.parameterList.Add(myParam);
object key = ExecuteScaler(Instance);
return Convert.ToString(key);
}
Scanner's Recommend fix:
string user = ctx.getAuthenticatedUserName();
int16 id = System.Convert.ToInt16(invoiceID.Text);
SqlCommand query = new SqlCommand(
"SELECT * FROM invoices WHERE id = #id AND user = #user", conn);
query.Parameters.AddWithValue("#id", id);
query.Parameters.AddWithValue("#user", user);
SqlDataReader objReader = query.ExecuteReader();
I think the problem is dealing with the code calling the GetAttributeKey. The method is called only if the user has no access to to the Attribute. I think I need some type of checking. Here is the calling code:
if (result.Rows.Count > 0)
{
// get the attribute
DataRow[] rows = result.Select("ws_attribute = '" + attribute + "'");
if (rows.Length > 0)
{
// check time range
string hr = DateTime.Now.Hour.ToString();
DataRow[] valid = result.Select("ws_attribute = '" + attribute + "' AND start_time <= " + hr + " AND end_time >= " + hr);
if (valid.Length > 0)
{
ws_user_attribute_key = Convert.ToInt32(valid[0]["ws_user_attribute_key"].ToString());
ret = true;
// generate salt
TextEncryptor te = new TextEncryptor();
salt = te.CreateSalt(8);
// save to the log, return false if failed to log
if (!LogTransfer(ipAddress, accessDate, fileName, ws_user_attribute_key, salt, out logKey))
return false;
}
else
{
ret = false;
LogInvalidAccess(username, rows[0]["ws_attribute_key"].ToString(), ipAddress, accessDate, WSInvalidAccessReason.OutsideValidTimeRange);
}
}
else
{
// if user has no access to attribute
ret = false;
LogInvalidAccess(username, GetAttributeKey(attribute), ipAddress, accessDate, WSInvalidAccessReason.AttributeNotAccessible);
}
}
else
{
ret = false;
LogInvalidAccess(username, GetAttributeKey(attribute), ipAddress, accessDate, WSInvalidAccessReason.InvalidAccount);
}
Related
OK I have a app that has a Listview and uses sqlite data to populate it. But I also want to be able to email the contents of each view for the body of the message. I tried doing this with a global string variable and catching the data in the CarCursorAdapter activity in the BindView section like this:
// Update the TextViews with the attributes for the current move
vinTxtView.setText(vinStr);
dateTxtView.setText(dateStr);
mvFromTxtView.setText(mvFrom);
mvToTxtView.setText(mvTo);
MyProperties.getInstance().bodyStrGlobal = MyProperties.getInstance().bodyStrGlobal+vinStr+"-"+mvFrom+"->"+mvTo+"-"+dateStr+"\n";
And then I use that string in the email intent. But the problem is it keeps adding to this string every time the listview is populated so I get all kinds of double entries. What would be the best way to just capture this once when the email feature is selected? Or reset the string to null at some place? Maybe just read from each listview item instead of from the cursor loader? There is probably a way to just cycle through the database table but I'm getting all kinds of errors and haven't had any luck.
Found this to work. My MainActivity is very busy now, but everything works.
public String getEmailText(){
String tempStr = "";
String[] projection = {
CarEntry._ID,
CarEntry.COLUMN_CAR_VIN,
CarEntry.COLUMN_CAR_DATE,
CarEntry.COLUMN_CAR_MOVEFROM,
CarEntry.COLUMN_CAR_MOVETO};
Cursor cursor = getContentResolver().query(Uri.parse("content://gregorykraft.com.scanvin/cars"),projection,null,null,null);
if
(cursor == null || cursor.getCount() < 1) {
Toast.makeText(this, getString(R.string.error_uri),
Toast.LENGTH_SHORT).show();
return "";
}
int i = 0;
if (cursor.moveToFirst()) {
while (!cursor.isAfterLast()) {
i++;
String s =String.valueOf(i);
String vinStr = cursor.getString(cursor.getColumnIndex(CarEntry.COLUMN_CAR_VIN));
String mvFrom = cursor.getString(cursor.getColumnIndex(CarEntry.COLUMN_CAR_MOVEFROM));
String mvTo = cursor.getString(cursor.getColumnIndex(CarEntry.COLUMN_CAR_MOVETO));
String dateStr = cursor.getString(cursor.getColumnIndex(CarEntry.COLUMN_CAR_DATE));
tempStr = tempStr+s+") "+vinStr + "-" + mvFrom + "->" + mvTo + "-" + dateStr + "\n";
cursor.moveToNext();
}
cursor.close();
}
return tempStr;
}
I have a list of users in my list view which is populated by retrieving data from documentum . If I click on any row of this least (each row represent one user) I should be able to see all of their information listed down .(This is my problem )
public void selectedItemFromListView(){
selected = lwAllUserGrp.getSelectionModel().getSelectedItem();
System.out.println(selected);
String query =" select * from dm_user where user_name = '#aclName'" ;
String test = query.replace("#aclname", selected);
GetDataWithDqlProfile(_session , query , "user_login_name" , "user_address" , "user_state" );
System.out.println(user.getAddress());
System.out.println(user.getState());
System.out.println(user.getUsername());
}
if I click on a row of list view I can successfully see who is selected and I need to retrieve all the other attributes of that username (same person) from documentum via DQL .
private void GetDataWithDqlProfile(IDfSession session, String Query, String username , String address , String state ) {
try {
IDfQuery UpdateQuery = new DfQuery();
UpdateQuery.setDQL(Query);
IDfCollection col = UpdateQuery.execute(_session, IDfQuery.DF_QUERY);
user.setAddress(col.getString(username));
user.setUsername(col.getString(address));
user.setState(col.getString(state));
col.close();
} catch (Exception e) {
Alert alert = new Alert(Alert.AlertType.ERROR, e.getMessage());
alert.showAndWait();
Logs.WriteLog(LoginController.Repository + ",User:" + LoginController.Username, "DQL Query", e.toString());
e.getStackTrace();
}
and my output is :
User's name
null
null
null
I've tried the DQL query in DQL tester and it works well
In order to fetch rows from IDfCollection you have to call next() on the collection object. This method both advances to the next row and returns a boolean if successful. Use a boolean test (e.g., while or if) to iterate, like this:
IDfCollection col = UpdateQuery.execute(_session, IDfQuery.DF_QUERY);
if (col.next()) {
user.setAddress(col.getString(username));
user.setUsername(col.getString(address));
user.setState(col.getString(state));
}
col.close();
The iteration is necessary even if the collection contains only one row. In other words, you need to manually advance to the first row.
1) As #eiviamu already mentioned, you have to call IDfCollection.next() to get the next row.
2) Your code, among other problems, has one documentum-related: closing of collection must happen always in finally block.
Otherwise you can get unclosed collection which might lead to memory leaks and weird application behavior (e.g. if I'm not mistaken there are 9 simultaneous open collections are allowed for one DCTM session by default, and if you exceed this limit an exception will be thrown)
For those of you referring to this question later here is how I solved the problem :
public ArrayList<User> GetDataWithDqlpro(IDfSession session, String Query, String username , String state , String address) {
try {
IDfQuery UpdateQuery = new DfQuery();
UpdateQuery.setDQL(Query);
IDfCollection col = UpdateQuery.execute(_session, IDfQuery.DF_QUERY);
while (col.next()) {
list.add( new User(col.getString(username),col.getString(address) , col.getString(state)));
}
col.close();
}catch (Exception e) {
Alert alert = new Alert(Alert.AlertType.ERROR, e.getMessage());
alert.showAndWait();
Logs.WriteLog(LoginController.Repository + ",User:" + LoginController.Username, "DQL Query", e.toString());
e.getStackTrace();
}
return (ArrayList<User>) list;
}
public void selectedItemFromListView(){
selected = lwAllUserGrp.getSelectionModel().getSelectedItem();
System.out.println(selected);
String Query = "select user_login_name , user_state , user_address from dm_user where user_login_name ='#aclname'";
Query = Query.replace("#aclname",selected );
ArrayList<User> allUserNames = GetDataWithDqlpro(_session, Query, "user_login_name","user_address","user_state");
for (int i = 0 ; i <= allUserNames.size()-1 ; i++ ){
if (selected.compareToIgnoreCase(allUserNames.get(i).getUsername() ) == 0){
System.out.println(allUserNames.get(i).getState() );
System.out.println(allUserNames.get(i).getAddress() );
System.out.println(allUserNames.get(i).getUsername() );
}
}
}
Worth mentioning that I have a class called User with constructor and get and set methods
I hope it will help some one :)
I'm building a Flash AIR application that will be a kiosk installation for accepting visitor comments, and then displaying previous visitor's comments back. This needs to be highly graphically styled, so returning the query/SQL results back into a datagrid isn't a suitable end result. The database is simply the local one created by the Flash application since this is a non-networked kiosk installation.
I've seen many comments talking about datagrids, and I've seen code that will display all the query results back as a single string - but I'm hoping to populate (without clicking on a datagrid) a series of dynamic text fields with the results of my query.
The Insert statement is working great:
function addData(): void
{
insertStmt = new SQLStatement();
insertStmt.sqlConnection = conn;
var sqlAdd: String = "";
sqlAdd += "INSERT INTO comments (firstName, lastName, homeTown, comment, avatarID, tagID) ";
sqlAdd += "VALUES ('" + inputFirstName + "', ";
sqlAdd += "'" + inputLastName + "', ";
sqlAdd += "'" + inputHomeTown + "', ";
sqlAdd += "'" + inputComment + "', ";
sqlAdd += inputAvatarID + ", ";
sqlAdd += inputTagID;
sqlAdd += ")";
insertStmt.text = sqlAdd;
insertStmt.addEventListener(SQLEvent.RESULT, insertResult);
insertStmt.addEventListener(SQLErrorEvent.ERROR, insertError);
insertStmt.execute();
}
I'm also able to get my Select statement to work when I click a button:
function getData(event: MouseEvent): void
{
selectStmt = new SQLStatement();
selectStmt.sqlConnection = conn;
var sql: String = "SELECT firstName, lastName, comment FROM comments";
selectStmt.text = sql;
selectStmt.addEventListener(SQLEvent.RESULT, selectResult);
selectStmt.addEventListener(SQLEvent.RESULT, traceResult);
selectStmt.addEventListener(SQLErrorEvent.ERROR, selectError);
selectStmt.execute();
}
Where I'm getting completely stuck is extracting this information and either giving each thing a variable name so I can use it later, or at least put the data into a multidimensional array so I reference data with a syntax like
array[1][firstName]
This is the code I've got isn't quite working:
function selectResult(event: SQLEvent): void
{
selectStmt.removeEventListener(SQLEvent.RESULT, selectResult);
selectStmt.removeEventListener(SQLErrorEvent.ERROR, selectError);
var result: SQLResult = selectStmt.getResult();
// The results grid works so I know I'm getting the data back
resultsGrid.dataProvider = new DataProvider(result.data);
var resultsArray01: Array;
var newResultsRow: Array;
if (result != null)
{
// Iterate through each entry
for each(var entry: Object in result.data)
{
// Trace entry -- this works when I test it
trace(entry.firstName,entry.comment, entry.homeTown);
// Add entries to array -- where I get into troubles
// I get TypeError: Error #1009: Cannot access a property or method of a null object reference.
newResultsRow.push(entry.firstName, entry.comment, entry.homeTown);
resultsArray01.push(newResultsRow);
}
}
}
Sorry if this is longwinded. I'm pretty new to AS3, but fairly good with SQL. Any help is appreciated.
You don't need a multidimensional Array for this. You don't even need to create a loop. You can just store the Results as is.
//Declare variable to store the data
var resultsArray:Array;
var result: SQLResult = selectStmt.getResult();
if (result != null)
{
resultsArray = result.data;
}
Then you can just do this...
trace(resultsArray[1]["firstName"]);
Although it is better to use dot syntax
trace(resultsArray[1].firstName);
I want to pass two parametrs cartid and productis via query string.
Cartid is to be generated either from session(if available) else from database and Product is to be fetch from previous query sting
My code is(in case cart id is to be fetch from database)
CartInfo cartinfo = new CartInfo();
cartinfo.UserName = Session["UserName"].ToString();
cartinfo.IsOrder = "0";
cartinfo.CartDate = DateTime.Now;
int id = new InsertAction().InsertData(cartinfo);
if (id!=0)
{
lblmsg.Text = "Inserted Sucessfully";
Session["CartID"] = id;
if (Request.QueryString["ProductID"] != null)
{
int productid = int.Parse(Request.QueryString["ProductID"]);
}
Response.Redirect("ViewCartItems.aspx?CartID=id & ProductID=productid");
}
and in case cartid is to be fetch from the session created
if (Session["CartID"] != null)
{
string cartid;
int productid;
if (Request.QueryString["ProductID"] != null)
{
cartid = Session["CartID"].ToString();
productid = int.Parse(Request.QueryString["ProductID"]);
DataSet ds = new AddCartItem().GetCartItem(cartid, productid);
if (ds.Tables[0].Rows.Count > 0)
{
DataSet ds1 = new AddCartItem().UpdateCartItem(cartid, productid);
}
but both the queries are wrong
the are generating url like this
http://localhost:1030/SShopping%20Website/client/ViewCartItems.aspx?CartID=id%20&%20ProductID=productid
Please help
It's usually much easier to read using String.Format:
Response.Redirect(String.Format("ViewCartItems.aspx?CartID={0}&ProductID={1}", id, productid));
Also, it is prefable to use Response.Redirect(url, false) instead of just Response.Redirect(url), so you don't get a ThreadAbortException.
From MSDN:
When you use this method in a page handler to terminate a request for
one page and start a new request for another page, set endResponse to
false and then call the CompleteRequest method. If you specify true
for the endResponse parameter, this method calls the End method for
the original request, which throws a ThreadAbortException exception
when it completes. This exception has a detrimental effect on Web
application performance, which is why passing false for the
endResponse parameter is recommended.
Reading: Response.Redirect
You need to concatenate the values into the string:
Response.Redirect("ViewCartItems.aspx?CartID=" + id.ToString() + "&ProductID=" + productid.ToString());
You are putting space between '&', 'variable name' , '='.
Don't put space. Write like this: &name=, not like & name =.
Response.Redirect("ViewCartItems.aspx?CartID="+id+"&ProductID="+productid);
This will work.
So I have been driving myself crazy trying to figure out why I can't get my LDAP search to work.
private String getDNFromLDAP(String strUID)
{
String strDN = "";
//Create an LDAP Entry Object
DirectoryEntry entry = new DirectoryEntry("LDAP://something.blah.com/cn=people,dc=blah,dc=com");
entry.AuthenticationType = AuthenticationTypes.SecureSocketsLayer;
entry.Username = "cn=myaccount,cn=special,dc=blah,dc=com";
entry.Password = "supersecret";
DirectorySearcher mySearcher = new DirectorySearcher(entry);
mySearcher.SearchScope = SearchScope.Subtree;
mySearcher.Filter = "(uid=" + strUID + ")";
SearchResult result = mySearcher.FindOne();
int nIndex = result.Path.LastIndexOf("/");
strDN = result.Path.Substring((nIndex + 1)).ToString().TrimEnd();
//Clean up objects
entry.Close();
entry.Dispose();
mySearcher.Dispose();
//returns the DN
return strDN;
}
I know the object I am searching for exist (confirmed with ldapsearch), but my result keeps coming back empty. I suspect there is an issue with the base dn, but I don't know how to confirm what what DirectorySearch is using as the base dn. Any help at all would be appreciated.
You set the root using the searchroot property. The root is set to entry you pass on the constructor, so this might be why you can't find your entry.