Continue to summarize the vulnerabilities of Fortify. This article mainly summarizes the vulnerabilities of Access Control: Database (data unauthorized), as follows:
1. Access Control: Database (data unauthorized)
1.1. Reasons:
Database access control errors occur when:
1. Data enters the program from an untrusted source.
2. This data is used to specify the value of the primary key in the SQL query.
Example 1 : The following code uses a parameterized statement that escapes metacharacters and prevents SQL injection vulnerabilities to build and execute an SQL query that searches for manifests that match a specified identifier. You can select these identifiers from a list of all currently authorized users.
...
id = Integer.decode(request.getParameter("invoiceID"));
String query = "SELECT * FROM invoices WHERE id = ?";
PreparedStatement stmt = conn.prepareStatement(query);
stmt.setInt(1, id);
ResultSet results = stmt.execute();
...
The problem is that the developers did not consider all possible id values. While the interface generates a list of identifiers for the current user, an attacker can bypass this interface and obtain any list they want. Because the code in this example does not perform a check to ensure that the user has access to the required manifests, the code displays all manifests even if they do not belong to the current user.
1.2. Repair plan:
Rather than relying on the presentation layer to limit user input values, access control is performed at the application and database layers. Under no circumstances are users allowed to obtain or modify records in the database without the appropriate permissions. Every query involving the database must obey this principle, which can be achieved by including the currently authorized user name as part of the query statement.
Example : The following code implements the same functionality as Example 1, but with the addition of a restriction of specifying a specific way to get the manifest for the currently authorized user.
...
userName = ctx.getAuthenticatedUserName();
id = Integer.decode(request.getParameter("invoiceID"));
String query =
"SELECT * FROM invoices WHERE id = ? AND user = ?";
PreparedStatement stmt = conn.prepareStatement(query);
stmt.setInt(1, id);
stmt.setString(2, userName);
ResultSet results = stmt.execute();
In short, to prevent the vulnerability of data unauthorized access, the following two points need to be done:
a. For the data that needs to be queried, add restrictions on data permissions to the sql statement, and limit the roles to which the data belongs.
b. For this added data permission limit, it is best to obtain it from the background, rather than passing it in through the foreground.