Replace escapeSql with pg built-in escaping

c-w · c-w · commit 4bc15ac53205 · 2018-02-07T08:16:10.000-05:00
In CatalystCode/project-fortis-pipeline#222 we discovered another set of SQL-injection attack vectors for the feature service. This commit fixes potential injection vulnerabilities once and for all by switching all queries to using the postgres built-in parameter interpolation mechanism instead of using string queries. The changes were validated by calling the following routes which should be roughly representative of the entire functionality space of the featureService: ```sh curl 'localhost:8080/features/name/paris' curl 'localhost:8080/features/name/bogota,paris' curl 'localhost:8080/features/id/wof-85971971' curl 'localhost:8080/features/id/wof-404477281,wof-85971971' curl 'localhost:8080/features/point/40.71/74.0' curl 'localhost:8080/features/bbox/47/5/35/10' curl 'localhost:8080/features/bbox/47/5/35/10?filter_name=Saint&filter_layer=campus' ```
diff --git a/services/features.js b/services/features.js
@@ -6,17 +6,16 @@ const async = require('async'),
       GeoPoint = require('geopoint'),
       HttpStatus = require('http-status-codes'),
       postgres = require('./postgres'),
-      escapeSql = postgres.escapeSql,
       ServiceError = common.utils.ServiceError,
       turf = require('turf');
 
 let featureDatabasePool;
 
-function executeQuery(query, callback) {
+function executeQuery(query, params, callback) {
     featureDatabasePool.connect((err, client, done) => {
         if (err) return callback(err);
 
-        client.query(query, (err, results) => {
+        client.query(query, params, (err, results) => {
             done();
 
             if (err)
@@ -29,8 +28,15 @@ function executeQuery(query, callback) {
 
 function getById(query, callback) {
     const ids = query.id.constructor === Array ? query.id : [query.id];
-    const getQuery = `SELECT ${buildQueryColumns(query)} FROM features WHERE id IN (${ids.map(escapeSql).join(',')})`;
-    executeQuery(getQuery, (err, rows) => {
+
+    const getParams = [];
+
+    const getQuery = `SELECT ${buildQueryColumns(query)} FROM features WHERE id IN (${ids.map(id => {
+        getParams.push(id);
+        return `$${getParams.length}`;
+    }).join(',')})`;
+
+    executeQuery(getQuery, getParams, (err, rows) => {
         if (err) return callback(err);
         if (!rows || rows.length === 0) return callback(null, null);
 
@@ -119,58 +125,72 @@ function buildQueryColumns(query) {
     return queryColumns;
 }
 
-function addQueryPredicates(sql, query) {
+function addQueryPredicates(sql, query, params) {
     if (query.layer) {
-        sql += ` AND layer = ${escapeSql(query.layer)}`;
+        params.push(query.layer);
+        sql += ` AND layer = $${params.length}`;
     }
 
     if (query.filter_name) {
-        sql += ` AND strpos(lower(name), lower(${escapeSql(query.filter_name)})) > 0`;
+        params.push(query.filter_name);
+        sql += ` AND strpos(lower(name), lower($${params.length})) > 0`;
     }
 
     if (query.filter_namespace) {
-        sql += ` AND lower(split_part(id, '-', 1)) = lower(${escapeSql(query.filter_namespace)})`;
+        params.push(query.filter_namespace);
+        sql += ` AND lower(split_part(id, '-', 1)) = lower($${params.length})`;
     }
 
     if (query.filter_layer) {
-        sql += ` AND lower(layer) IN (${query.filter_layer.split(',').map(layer => `lower(${escapeSql(layer)})`).join(',')})`;
+        sql += ` AND lower(layer) IN (${query.filter_layer.split(',').map(layer => {
+            params.push(layer);
+            return `lower($${params.length})`
+        }).join(',')})`;
     }
 
     return sql;
 }
 
 function getByBoundingBox(query, callback) {
     let boundingBoxQuery = `SELECT ${buildQueryColumns(query)} FROM features WHERE ST_Intersects(hull, ST_MakeEnvelope(
-        ${query.west}, ${query.south},
-        ${query.east}, ${query.north}, 4326
+        $1, $2,
+        $3, $4, 4326
     ))`;
 
-    boundingBoxQuery = addQueryPredicates(boundingBoxQuery, query);
+    const boundingBoxParams = [query.west, query.south, query.east, query.north];
 
-    return executeQuery(boundingBoxQuery, callback);
+    boundingBoxQuery = addQueryPredicates(boundingBoxQuery, query, boundingBoxParams);
+
+    return executeQuery(boundingBoxQuery, boundingBoxParams, callback);
 }
 
 function getByPoint(query, callback) {
-    let pointQuery = `SELECT ${buildQueryColumns(query)} FROM features WHERE ST_Contains(hull, ST_GeomFromText(
-        'POINT(${query.longitude} ${query.latitude})', 4326)
+    let pointQuery = `SELECT ${buildQueryColumns(query)} FROM features WHERE ST_Contains(hull,
+        ST_SetSRID(ST_MakePoint($1, $2), 4326)
     )`;
 
-    pointQuery = addQueryPredicates(pointQuery, query);
+    const pointParams = [query.longitude, query.latitude];
+
+    pointQuery = addQueryPredicates(pointQuery, query, pointParams);
 
-    return executeQuery(pointQuery, callback);
+    return executeQuery(pointQuery, pointParams, callback);
 }
 
 function getByName(query, callback) {
     const names = query.name.constructor === Array ? query.name : [query.name];
 
-    let namesDisjunction = `(${names.map(function(name) {
-        return `lower(name) = lower(${escapeSql(name)})`;
+    const nameParams = [];
+
+    const namesDisjunction = `(${names.map(name => {
+        nameParams.push(name);
+        return `lower(name) = lower($${nameParams.length})`;
     }).join(" OR ")})`;
+
     let nameQuery = `SELECT ${buildQueryColumns(query)} FROM features WHERE ${namesDisjunction}`;
 
-    nameQuery = addQueryPredicates(nameQuery, query);
+    nameQuery = addQueryPredicates(nameQuery, query, nameParams);
 
-    executeQuery(nameQuery, callback);
+    executeQuery(nameQuery, nameParams, callback);
 }
 
 function init(callback) {
@@ -228,29 +248,39 @@ function upsert(feature, callback) {
     feature.elevation = feature.elevation || 'null';
     feature.hierarchy = feature.hierarchy || '{}';
 
-    let upsertQuery = `INSERT INTO features (
+    const upsertQuery = `
+    INSERT INTO features (
         id, name, layer, properties, hull, created_at, updated_at
     ) VALUES (
-        ${escapeSql(feature.id)},
-        ${escapeSql(feature.name)},
-        ${escapeSql(feature.layer)},
-        ${escapeSql(JSON.stringify(feature.properties))},
+        $1,
+        $2,
+        $3,
+        $4,
 
-        ST_SetSRID(ST_GeomFromGeoJSON(${escapeSql(JSON.stringify(feature.hull))}), 4326),
+        ST_SetSRID(ST_GeomFromGeoJSON($5), 4326),
 
         current_timestamp,
         current_timestamp
     ) ON CONFLICT (id) DO UPDATE SET
-        name = ${escapeSql(feature.name)},
-        layer = ${escapeSql(feature.layer)},
-        properties = ${escapeSql(JSON.stringify(feature.properties))},
+        name = $6,
+        layer = $7,
+        properties = $8,
 
-        hull = ST_SetSRID(ST_GeomFromGeoJSON(${escapeSql(JSON.stringify(feature.hull))}), 4326),
+        hull = ST_SetSRID(ST_GeomFromGeoJSON($9), 4326),
 
         updated_at = current_timestamp
     ;`;
 
-    executeQuery(upsertQuery, callback);
+    const hullJson = JSON.stringify(feature.hull);
+    const propertiesJson = JSON.stringify(feature.properties);
+
+    const upsertParams = [
+        feature.id, feature.name, feature.layer, propertiesJson,
+        hullJson, feature.name, feature.layer, propertiesJson,
+        hullJson,
+    ];
+
+    executeQuery(upsertQuery, upsertParams, callback);
 }
 
 module.exports = {
diff --git a/services/postgres.js b/services/postgres.js
@@ -3,10 +3,6 @@ const pg = require('pg'),
       querystring = require('querystring'),
       url = require('url');
 
-function escapeSql(value) {
-    return `'${value.replace(/'/g,"''")}'`;
-}
-
 function init(callback) {
     const connectionString = process.env.FEATURES_CONNECTION_STRING;
 
@@ -34,6 +30,5 @@ function init(callback) {
 }
 
 module.exports = {
-    escapeSql: escapeSql,
     init: init
 };
diff --git a/services/visits.js b/services/visits.js
@@ -6,7 +6,6 @@ const async = require('async'),
       HttpStatus = require('http-status-codes'),
       log = common.services.log("featureService/services/visits"),
       postgres = require('./postgres'),
-      escapeSql = postgres.escapeSql,
       ServiceError = common.utils.ServiceError,
       uuid = require('uuid/v4');
 
@@ -41,14 +40,17 @@ function resultsToVisits(results) {
 }
 
 function deleteByUserId(userId, callback) {
-    executeQuery(`DELETE FROM visits WHERE user_id=${escapeSql(userId)}`, callback);
+    const query = `DELETE FROM visits WHERE user_id = $1`;
+    const params = [userId];
+
+    executeQuery(query, params, callback);
 }
 
-function executeQuery(query, callback) {
+function executeQuery(query, params, callback) {
     featureTablePool.connect((err, client, done) => {
         if (err) return callback(err);
 
-        client.query(query, (err, results) => {
+        client.query(query, params, (err, results) => {
             done();
 
             if (err)
@@ -70,12 +72,17 @@ function fromRequest(visitsJson, callback) {
 }
 
 function getByTimestamp(userId, timestamp, callback) {
-    executeQuery(`SELECT * FROM visits WHERE user_id=${escapeSql(userId)} AND start >= ${timestamp} AND finish <= ${timestamp}`, callback);
+    const query = `SELECT * FROM visits WHERE user_id = $1 AND start >= $2 AND finish <= $3`;
+    const params = [userId, timestamp, timestamp];
+
+    executeQuery(query, params, callback);
 }
 
 function getByUserId(userId, callback) {
-    let query = `SELECT * FROM visits WHERE user_id=${escapeSql(userId)}`;
-    executeQuery(query, callback);
+    const query = `SELECT * FROM visits WHERE user_id = $1`;
+    const params = [userId];
+
+    executeQuery(query, params, callback);
 }
 
 function init(callback) {
@@ -106,8 +113,6 @@ function toResponse(visits) {
 }
 
 function upsert(visits, callback) {
-    let prefix = "";
-
     visits.forEach(visit => {
         if (!visit.id)        return callback(new ServiceError(HttpStatus.BAD_REQUEST, "'id' not provided for visit: " + JSON.stringify(visit, null ,2)));
         if (!visit.userId)    return callback(new ServiceError(HttpStatus.BAD_REQUEST, "'userId' not provided for visit: " + JSON.stringify(visit, null ,2)));
@@ -117,25 +122,30 @@ function upsert(visits, callback) {
     });
 
     async.each(visits, (visit, visitCallback) => {
-        let upsertQuery = `INSERT INTO visits (
+        const upsertQuery = `INSERT INTO visits (
             id, user_id, feature_id, start, finish, created_at, updated_at
         ) VALUES (
-            ${escapeSql(visit.id)},
-            ${escapeSql(visit.userId)},
-            ${escapeSql(visit.featureId)},
-            ${visit.start},
-            ${visit.finish},
+            $1,
+            $2,
+            $3,
+            $4,
+            $5,
             current_timestamp,
             current_timestamp
         ) ON CONFLICT (id) DO UPDATE SET
-            user_id = ${escapeSql(visit.userId)},
-            feature_id = ${escapeSql(visit.featureId)},
-            start = ${visit.start},
-            finish = ${visit.finish},
+            user_id = $6,
+            feature_id = $7,
+            start = $8,
+            finish = $9,
             updated_at = current_timestamp
         ;`;
 
-        executeQuery(upsertQuery, visitCallback);
+        const upsertParams = [
+            visit.id, visit.userId, visit.featureId, visit.start, visit.finish,
+            visit.userId, visit.featureId, visit.start, visit.finish,
+        ];
+
+        executeQuery(upsertQuery, upsertParams, visitCallback);
     }, callback);
 }
 
