Skip to content

High severity CWE-89 (SQL Injection) vulnerability in WebGoat/Code/SQLiteProfileProvider.cs:769 (1 additional file changed) #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
appsecai-app wants to merge 1 commit into
base: master
Choose a base branch
from
Open

High severity CWE-89 (SQL Injection) vulnerability in WebGoat/Code/SQLiteProfileProvider.cs:769 (1 additional file changed) #7

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
112 changes: 90 additions & 22 deletions WebGoat/Code/SQLiteProfileProvider.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -378,12 +378,18 @@ public override int DeleteInactiveProfiles (ProfileAuthenticationOption authenti
SqliteConnection cn = GetDbConnectionForProfile ();
try {
using (SqliteCommand cmd = cn.CreateCommand()) {
string authClause;
SqliteParameter authParam;
GetClauseForAuthenticationOptions (authenticationOption, out authClause, out authParam);

cmd.CommandText = "DELETE FROM " + PROFILE_TB_NAME + " WHERE UserId IN (SELECT UserId FROM " + USER_TB_NAME
+ " WHERE ApplicationId = $ApplicationId AND LastActivityDate <= $LastActivityDate"
+ GetClauseForAuthenticationOptions (authenticationOption) + ")";
+ authClause + ")";

cmd.Parameters.AddWithValue ("$ApplicationId", _membershipApplicationId);
cmd.Parameters.AddWithValue ("$LastActivityDate", userInactiveSinceDate);
if (authParam != null)
cmd.Parameters.Add (authParam);

if (cn.State == ConnectionState.Closed)
cn.Open ();
Expand All @@ -409,14 +415,20 @@ public override int GetNumberOfInactiveProfiles (ProfileAuthenticationOption aut
SqliteConnection cn = GetDbConnectionForProfile ();
try {
using (SqliteCommand cmd = cn.CreateCommand()) {
string authClause;
SqliteParameter authParam;
GetClauseForAuthenticationOptions (authenticationOption, out authClause, out authParam);

cmd.CommandText = "SELECT COUNT(*) FROM " + USER_TB_NAME + " u, " + PROFILE_TB_NAME + " p " +
"WHERE u.ApplicationId = $ApplicationId AND u.LastActivityDate <= $LastActivityDate AND u.UserId = p.UserId" + GetClauseForAuthenticationOptions (authenticationOption);
"WHERE u.ApplicationId = $ApplicationId AND u.LastActivityDate <= $LastActivityDate AND u.UserId = p.UserId" + authClause;

if (cn.State == ConnectionState.Closed)
cn.Open ();

cmd.Parameters.AddWithValue ("$ApplicationId", _membershipApplicationId);
cmd.Parameters.AddWithValue ("$LastActivityDate", userInactiveSinceDate);
if (authParam != null)
cmd.Parameters.Add (authParam);

return cmd.ExecuteNonQuery ();
}
Expand All @@ -438,15 +450,26 @@ public override int GetNumberOfInactiveProfiles (ProfileAuthenticationOption aut
/// </returns>
public override ProfileInfoCollection GetAllProfiles (ProfileAuthenticationOption authenticationOption, int pageIndex, int pageSize, out int totalRecords)
{
string authClause;
SqliteParameter authParam;
GetClauseForAuthenticationOptions (authenticationOption, out authClause, out authParam);

string sqlQuery = "SELECT u.UserName, u.IsAnonymous, u.LastActivityDate, p.LastUpdatedDate, length(p.PropertyNames) + length(p.PropertyValuesString) FROM "
+ USER_TB_NAME + " u, " + PROFILE_TB_NAME + " p WHERE u.ApplicationId = $ApplicationId AND u.UserId = p.UserId "
+ GetClauseForAuthenticationOptions (authenticationOption);
+ authClause;

SqliteParameter prm = new SqliteParameter ("$ApplicationId", DbType.String, 36);
prm.Value = _membershipApplicationId;

SqliteParameter[] args = new SqliteParameter[1];
args [0] = prm;
SqliteParameter[] args;
if (authParam != null) {
args = new SqliteParameter[2];
args [0] = prm;
args [1] = authParam;
} else {
args = new SqliteParameter[1];
args [0] = prm;
}
return GetProfilesForQuery (sqlQuery, args, pageIndex, pageSize, out totalRecords);
}

Expand All @@ -463,18 +486,30 @@ public override ProfileInfoCollection GetAllProfiles (ProfileAuthenticationOptio
/// </returns>
public override ProfileInfoCollection GetAllInactiveProfiles (ProfileAuthenticationOption authenticationOption, DateTime userInactiveSinceDate, int pageIndex, int pageSize, out int totalRecords)
{
string authClause;
SqliteParameter authParam;
GetClauseForAuthenticationOptions (authenticationOption, out authClause, out authParam);

string sqlQuery = "SELECT u.UserName, u.IsAnonymous, u.LastActivityDate, p.LastUpdatedDate, length(p.PropertyNames) + length(p.PropertyValuesString) FROM "
+ USER_TB_NAME + " u, " + PROFILE_TB_NAME + " p WHERE u.ApplicationId = $ApplicationId AND u.UserId = p.UserId AND u.LastActivityDate <= $LastActivityDate"
+ GetClauseForAuthenticationOptions (authenticationOption);
+ authClause;

SqliteParameter prm1 = new SqliteParameter ("$ApplicationId", DbType.String, 256);
prm1.Value = _membershipApplicationId;
SqliteParameter prm2 = new SqliteParameter ("$LastActivityDate", DbType.DateTime);
prm2.Value = userInactiveSinceDate;

SqliteParameter[] args = new SqliteParameter[2];
args [0] = prm1;
args [1] = prm2;
SqliteParameter[] args;
if (authParam != null) {
args = new SqliteParameter[3];
args [0] = prm1;
args [1] = prm2;
args [2] = authParam;
} else {
args = new SqliteParameter[2];
args [0] = prm1;
args [1] = prm2;
}

return GetProfilesForQuery (sqlQuery, args, pageIndex, pageSize, out totalRecords);
}
Expand All @@ -492,18 +527,30 @@ public override ProfileInfoCollection GetAllInactiveProfiles (ProfileAuthenticat
/// </returns>
public override ProfileInfoCollection FindProfilesByUserName (ProfileAuthenticationOption authenticationOption, string usernameToMatch, int pageIndex, int pageSize, out int totalRecords)
{
string authClause;
SqliteParameter authParam;
GetClauseForAuthenticationOptions (authenticationOption, out authClause, out authParam);

string sqlQuery = "SELECT u.UserName, u.IsAnonymous, u.LastActivityDate, p.LastUpdatedDate, length(p.PropertyNames) + length(p.PropertyValuesString) FROM "
+ USER_TB_NAME + " u, " + PROFILE_TB_NAME + " p WHERE u.ApplicationId = $ApplicationId AND u.UserId = p.UserId AND u.LoweredUserName LIKE $UserName"
+ GetClauseForAuthenticationOptions (authenticationOption);
+ authClause;

SqliteParameter prm1 = new SqliteParameter ("$ApplicationId", DbType.String, 256);
prm1.Value = _membershipApplicationId;
SqliteParameter prm2 = new SqliteParameter ("$UserName", DbType.String, 256);
prm2.Value = usernameToMatch.ToLowerInvariant ();

SqliteParameter[] args = new SqliteParameter[2];
args [0] = prm1;
args [1] = prm2;
SqliteParameter[] args;
if (authParam != null) {
args = new SqliteParameter[3];
args [0] = prm1;
args [1] = prm2;
args [2] = authParam;
} else {
args = new SqliteParameter[2];
args [0] = prm1;
args [1] = prm2;
}

return GetProfilesForQuery (sqlQuery, args, pageIndex, pageSize, out totalRecords);
}
Expand All @@ -522,9 +569,13 @@ public override ProfileInfoCollection FindProfilesByUserName (ProfileAuthenticat
/// </returns>
public override ProfileInfoCollection FindInactiveProfilesByUserName (ProfileAuthenticationOption authenticationOption, string usernameToMatch, DateTime userInactiveSinceDate, int pageIndex, int pageSize, out int totalRecords)
{
string authClause;
SqliteParameter authParam;
GetClauseForAuthenticationOptions (authenticationOption, out authClause, out authParam);

string sqlQuery = "SELECT u.UserName, u.IsAnonymous, u.LastActivityDate, p.LastUpdatedDate, length(p.PropertyNames) + length(p.PropertyValuesString) FROM "
+ USER_TB_NAME + " u, " + PROFILE_TB_NAME + " p WHERE u.ApplicationId = $ApplicationId AND u.UserId = p.UserId AND u.UserName LIKE $UserName AND u.LastActivityDate <= $LastActivityDate"
+ GetClauseForAuthenticationOptions (authenticationOption);
+ authClause;

SqliteParameter prm1 = new SqliteParameter ("$ApplicationId", DbType.String, 256);
prm1.Value = _membershipApplicationId;
Expand All @@ -533,10 +584,19 @@ public override ProfileInfoCollection FindInactiveProfilesByUserName (ProfileAut
SqliteParameter prm3 = new SqliteParameter ("$LastActivityDate", DbType.DateTime);
prm3.Value = userInactiveSinceDate;

SqliteParameter[] args = new SqliteParameter[3];
args [0] = prm1;
args [1] = prm2;
args [2] = prm3;
SqliteParameter[] args;
if (authParam != null) {
args = new SqliteParameter[4];
args [0] = prm1;
args [1] = prm2;
args [2] = prm3;
args [3] = authParam;
} else {
args = new SqliteParameter[3];
args [0] = prm1;
args [1] = prm2;
args [2] = prm3;
}

return GetProfilesForQuery (sqlQuery, args, pageIndex, pageSize, out totalRecords);
}
Expand Down Expand Up @@ -1069,17 +1129,25 @@ private static object GetObjectFromString (Type type, SettingsSerializeAs serial
}
}

private static string GetClauseForAuthenticationOptions (ProfileAuthenticationOption authenticationOption)
private static void GetClauseForAuthenticationOptions (ProfileAuthenticationOption authenticationOption, out string clause, out SqliteParameter parameter)
{
switch (authenticationOption) {
case ProfileAuthenticationOption.Anonymous:
return " AND IsAnonymous='1' ";
clause = " AND IsAnonymous = $IsAnonymous ";
parameter = new SqliteParameter ("$IsAnonymous", DbType.Boolean);
parameter.Value = true;
break;

case ProfileAuthenticationOption.Authenticated:
return " AND IsAnonymous='0' ";
clause = " AND IsAnonymous = $IsAnonymous ";
parameter = new SqliteParameter ("$IsAnonymous", DbType.Boolean);
parameter.Value = false;
break;

case ProfileAuthenticationOption.All:
return " ";
clause = " ";
parameter = null;
break;

default:
throw new InvalidEnumArgumentException (String.Format ("Unknown ProfileAuthenticationOption value: {0}.", authenticationOption.ToString ()));
Expand Down