webui: Do not use base64 encoding for queries and visualisations

Do not convert SQL queries on the execute and visualise pages to base64
when sending them to the server.

Author: MKleusberg

api/handlers.go

@@ -663,7 +663,7 @@ func executeHandler(w http.ResponseWriter, r *http.Request) {
 	// Grab the incoming SQLite query
 	rawInput := r.FormValue("sql")
 	var sql string
-	sql, err = com.CheckUnicode(rawInput)
+	sql, err = com.CheckUnicode(rawInput, true)
 	if err != nil {
 		jsonErr(w, err.Error(), http.StatusBadRequest)
 		return
@@ -927,7 +927,7 @@ func queryHandler(w http.ResponseWriter, r *http.Request) {
 
 	// Grab the incoming SQLite query
 	rawInput := r.FormValue("sql")
-	query, err := com.CheckUnicode(rawInput)
+	query, err := com.CheckUnicode(rawInput, true)
 	if err != nil {
 		jsonErr(w, err.Error(), http.StatusBadRequest)
 		return

common/userinput.go

@@ -24,21 +24,25 @@ func CheckAPIKey(apiKey string) (err error) {
 }
 
 // CheckUnicode checks if a given string is unicode, and safe for using in SQLite queries (eg no SQLite control characters)
-func CheckUnicode(rawInput string) (str string, err error) {
+func CheckUnicode(rawInput string, decodeBase64 bool) (str string, err error) {
 	var decoded []byte
-	decoded, err = base64.StdEncoding.DecodeString(rawInput)
-	if err != nil {
-		// When base64 decoding fails, automatically try again with base64url formats instead
-		var err2 error // We use err2, to not overwrite the initial error message
-		decoded, err2 = base64.URLEncoding.DecodeString(rawInput)
-		if err2 != nil {
-			// Try base64URL with no padding character(s) this time
-			decoded, err2 = base64.RawURLEncoding.DecodeString(rawInput)
+	if decodeBase64 {
+		decoded, err = base64.StdEncoding.DecodeString(rawInput)
+		if err != nil {
+			// When base64 decoding fails, automatically try again with base64url formats instead
+			var err2 error // We use err2, to not overwrite the initial error message
+			decoded, err2 = base64.URLEncoding.DecodeString(rawInput)
 			if err2 != nil {
-				// Nope.  Seems like a genuine decoding problem
-				return
+				// Try base64URL with no padding character(s) this time
+				decoded, err2 = base64.RawURLEncoding.DecodeString(rawInput)
+				if err2 != nil {
+					// Nope.  Seems like a genuine decoding problem
+					return
+				}
 			}
 		}
+	} else {
+		decoded = []byte(rawInput)
 	}
 
 	// Ensure the decoded string is valid UTF-8

common/validate.go

@@ -374,3 +374,12 @@ func ValidateUserEmail(user, email string) error {
 	}
 	return nil
 }
+
+// ValidateVisualisationName validates the provided name of a saved visualisation query
+func ValidateVisualisationName(name string) error {
+	err := Validate.Var(name, "required,visname,min=1,max=63")
+	if err != nil {
+		return err
+	}
+	return nil
+}

webui/execute.go

@@ -3,6 +3,7 @@ package main
 import (
 	"encoding/json"
 	"fmt"
+	"io"
 	"log"
 	"net/http"
 	"strings"
@@ -235,27 +236,37 @@ func execLiveSQL(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Retrieve user and database info
-	var dbOwner, dbName string
-	dbOwner, dbName, _, err = com.GetODC(2, r) // 2 = Ignore "/x/execlivesql/" at the start of the URL
+	dbOwner, dbName, _, err := com.GetODC(2, r) // 2 = Ignore "/x/execlivesql/" at the start of the URL
 	if err != nil {
 		w.WriteHeader(http.StatusBadRequest)
 		fmt.Fprint(w, err)
 		return
 	}
 
 	// Grab the incoming SQLite query
-	rawInput := r.FormValue("sql")
-	var sql string
-	sql, err = com.CheckUnicode(rawInput)
+	bodyData, err := io.ReadAll(r.Body)
+	if err != nil {
+		w.WriteHeader(http.StatusBadRequest)
+		fmt.Fprint(w, err)
+		return
+	}
+	var data ExecuteSqlRequest
+	err = json.Unmarshal([]byte(bodyData), &data)
+	if err != nil {
+		w.WriteHeader(http.StatusBadRequest)
+		fmt.Fprint(w, err)
+		return
+	}
+
+	sql, err := com.CheckUnicode(data.Sql, false)
 	if err != nil {
 		w.WriteHeader(http.StatusBadRequest)
 		fmt.Fprint(w, err)
 		return
 	}
 
 	// Check if the requested database exists
-	var exists bool
-	exists, err = com.CheckDBPermissions(loggedInUser, dbOwner, dbName, true)
+	exists, err := com.CheckDBPermissions(loggedInUser, dbOwner, dbName, true)
 	if err != nil {
 		w.WriteHeader(http.StatusInternalServerError)
 		fmt.Fprint(w, err)
@@ -268,9 +279,7 @@ func execLiveSQL(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Make sure this is a live database
-	var isLive bool
-	var liveNode string
-	isLive, liveNode, err = com.CheckDBLive(dbOwner, dbName)
+	isLive, liveNode, err := com.CheckDBLive(dbOwner, dbName)
 	if err != nil {
 		w.WriteHeader(http.StatusInternalServerError)
 		fmt.Fprint(w, err)
@@ -283,9 +292,8 @@ func execLiveSQL(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Send the SQL execution request to our AMQP backend
-	var rowsChanged int
 	var z interface{}
-	rowsChanged, err = com.LiveExecute(liveNode, loggedInUser, dbOwner, dbName, sql)
+	rowsChanged, err := com.LiveExecute(liveNode, loggedInUser, dbOwner, dbName, sql)
 	if err != nil {
 		if !strings.HasPrefix(err.Error(), "don't use exec with") {
 			log.Println(err)
@@ -398,34 +406,38 @@ func execSave(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// SQL statement provided by the user
-	rawSQL := r.FormValue("sql")
-
-	// Initial sanity check of the SQL statements' name
-	input := com.VisGetFields{ // Reuse the validation rules for saved visualisation names
-		VisName: r.FormValue("sqlname"),
+	// SQL statement and name provided by the user
+	bodyData, err := io.ReadAll(r.Body)
+	if err != nil {
+		w.WriteHeader(http.StatusBadRequest)
+		fmt.Fprint(w, err)
+		return
 	}
-	err = com.Validate.Struct(input)
+	var data SaveSqlRequest
+	err = json.Unmarshal([]byte(bodyData), &data)
 	if err != nil {
-		log.Printf("Input validation error for execSave(): %s", err)
 		w.WriteHeader(http.StatusBadRequest)
-		fmt.Fprintf(w, "Error when validating input: %s", err)
+		fmt.Fprint(w, err)
 		return
 	}
-	sqlName := input.VisName
 
-	// Ensure minimum viable parameters are present
-	if sqlName == "" || rawSQL == "" {
+	decodedStr, err := com.CheckUnicode(data.Sql, false)
+	if err != nil {
 		w.WriteHeader(http.StatusBadRequest)
+		fmt.Fprint(w, err)
 		return
 	}
 
-	// Make sure the incoming SQLite query is "safe"
-	var decodedStr string
-	decodedStr, err = com.CheckUnicode(rawSQL)
+	err = com.ValidateVisualisationName(data.SqlName)
 	if err != nil {
 		w.WriteHeader(http.StatusBadRequest)
-		fmt.Fprint(w, err.Error())
+		fmt.Fprint(w, err)
+		return
+	}
+
+	// Ensure minimum viable parameters are present
+	if data.SqlName == "" || decodedStr == "" {
+		w.WriteHeader(http.StatusBadRequest)
 		return
 	}
 
@@ -456,8 +468,7 @@ func execSave(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Make sure the logged in user has the permissions to proceed
-	var allowed bool
-	allowed, err = com.CheckDBPermissions(loggedInUser, dbOwner, dbName, true)
+	allowed, err := com.CheckDBPermissions(loggedInUser, dbOwner, dbName, true)
 	if err != nil {
 		w.WriteHeader(http.StatusInternalServerError)
 		fmt.Fprint(w, err)
@@ -470,8 +481,7 @@ func execSave(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Ensure this is a live database
-	var isLive bool
-	isLive, _, err = com.CheckDBLive(dbOwner, dbName)
+	isLive, _, err := com.CheckDBLive(dbOwner, dbName)
 	if err != nil {
 		w.WriteHeader(http.StatusInternalServerError)
 		fmt.Fprint(w, err)
@@ -484,10 +494,10 @@ func execSave(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Save the SQL statement
-	err = com.LiveExecuteSQLSave(dbOwner, sqlName, decodedStr)
+	err = com.LiveExecuteSQLSave(dbOwner, data.SqlName, decodedStr)
 	if err != nil {
 		log.Printf("Error occurred when saving SQL statement '%s' for' '%s/%s': %s",
-			com.SanitiseLogString(sqlName), com.SanitiseLogString(dbOwner), com.SanitiseLogString(dbName), err.Error())
+			com.SanitiseLogString(data.SqlName), com.SanitiseLogString(dbOwner), com.SanitiseLogString(dbName), err.Error())
 		w.WriteHeader(http.StatusInternalServerError)
 		return
 	}

webui/js/local.js

@@ -1,12 +1,3 @@
-// base64url encode a string
-function base64url(input) {
-    let encoded = window.btoa(input);
-    encoded = encoded.replace(/=+$/, '');
-    encoded = encoded.replace(/\+/g, '-');
-    encoded = encoded.replace(/\//g, '_');
-    return encoded
-}
-
 // Construct a timestamp string for use in user messages
 function nowString() {
     // Construct a timestamp for the success message

webui/templates/execute.html

@@ -81,15 +81,6 @@ <h4 style="color: {{ statusMessageColour }};" data-cy="statusmsg">&nbsp;{{ statu
 [[ template "script_db_header" . ]]
 [[ template "footer" . ]]
 <script>
-    // base64url encode a string
-    function base64url(input) {
-        let encoded = window.btoa(input);
-        encoded = encoded.replace(/=+$/, '');
-        encoded = encoded.replace(/\+/g, '-');
-        encoded = encoded.replace(/\//g, '_');
-        return encoded
-    }
-
     // Pre-filled table row data
     let dataReceived = false;
 
@@ -286,8 +277,12 @@ <h4 style="color: {{ statusMessageColour }};" data-cy="statusmsg">&nbsp;{{ statu
             if (!$scope.checkSQL()) return;
 
             // Send the SQL string to the backend
-            let encoded = base64url(userSQL);
-            $http.get("/x/execlivesql/[[ .DB.Info.Owner ]]/[[ .DB.Info.Database ]]?commit=[[ .DB.Info.CommitID ]]&sql="+encoded).then(
+            $http({
+                url: "/x/execlivesql/[[ .DB.Info.Owner ]]/[[ .DB.Info.Database ]]",
+                method: "post",
+                data: {sql: userSQL},
+                headers: {'Content-Type': 'application/json'}
+            }).then(
                 function success(response) {
                     // We can potentially receive either "Execute SQL" or Query responses here
                     if ("rows_changed" in response.data) {
@@ -356,10 +351,13 @@ <h4 style="color: {{ statusMessageColour }};" data-cy="statusmsg">&nbsp;{{ statu
             if (!$scope.checkSQL()) return;
 
             // Save it
-            let name = document.getElementById("savename").value;
-            let args = "sqlname=" + name;
-            args += "&sql=" + base64url(userSQL);
-            $http.get("/x/execsave/[[ .DB.Info.Owner ]]/[[ .DB.Info.Database ]]?commit=[[ .DB.Info.CommitID ]]&"+args).then(
+            const name = document.getElementById("savename").value;
+            $http({
+                url: "/x/execsave/[[ .DB.Info.Owner ]]/[[ .DB.Info.Database ]]",
+                method: "post",
+                data: {sql_name: name, sql: userSQL},
+                headers: {'Content-Type': 'application/json'}
+            }).then(
                 function success(response) {
                     $scope.statusMessageColour = "green";
                     $scope.statusMessage = nowString() + "SQL statement '" + name + "' saved";

webui/templates/visualise.html

@@ -595,8 +595,12 @@ <h4 style="color: {{ statusMessageColour }};" data-cy="statusmsg">&nbsp;{{ statu
             if (!$scope.checkSQL()) return;
 
             // Generate the csv
-            let encoded = base64url(userSQL);
-            $http.get("/x/visdlresults/[[ .DB.Info.Owner ]]/[[ .DB.Info.Database ]]?commit=[[ .DB.Info.CommitID ]]&sql="+encoded).then(
+            $http({
+                url: "/x/visdlresults/[[ .DB.Info.Owner ]]/[[ .DB.Info.Database ]]?commit=[[ .DB.Info.CommitID ]]",
+                method: "post",
+                data: {sql: userSQL},
+                headers: {'Content-Type': 'application/json'}
+            }).then(
                 function success(response) {
                     // Clear any existing status message
                     $scope.statusMessage = "";
@@ -630,8 +634,12 @@ <h4 style="color: {{ statusMessageColour }};" data-cy="statusmsg">&nbsp;{{ statu
             if (!$scope.checkSQL()) return;
 
             // Send the SQL string to the backend
-            let encoded = base64url(userSQL);
-            $http.get("/x/execsql/[[ .DB.Info.Owner ]]/[[ .DB.Info.Database ]]?commit=[[ .DB.Info.CommitID ]]&sql="+encoded).then(
+            $http({
+                url: "/x/execsql/[[ .DB.Info.Owner ]]/[[ .DB.Info.Database ]]?commit=[[ .DB.Info.CommitID ]]",
+                method: "post",
+                data: {sql: userSQL},
+                headers: {'Content-Type': 'application/json'}
+            }).then(
                 function success(response) {
                     // Give a useful "success" status message
                     $scope.statusMessageColour = "green";
@@ -707,7 +715,6 @@ <h4 style="color: {{ statusMessageColour }};" data-cy="statusmsg">&nbsp;{{ statu
             let args = "xaxis=" + $scope.XAxisColumn;
             args += "&yaxis=" + $scope.YAxisColumn;
             args += "&visname=" + name;
-            args += "&sql=" + base64url(userSQL);
             switch ($scope.ChartType) {
                 case "Horizontal bar chart":
                     args += "&charttype=hbc";
@@ -729,7 +736,12 @@ <h4 style="color: {{ statusMessageColour }};" data-cy="statusmsg">&nbsp;{{ statu
                 args += "&showxlabel=" + $scope.radioXAxisShowLabels;
                 args += "&showylabel=" + $scope.radioYAxisShowLabels;
             }
-            $http.get("/x/vissave/[[ .DB.Info.Owner ]]/[[ .DB.Info.Database ]]?commit=[[ .DB.Info.CommitID ]]&"+args).then(
+            $http({
+                url: "/x/vissave/[[ .DB.Info.Owner ]]/[[ .DB.Info.Database ]]?commit=[[ .DB.Info.CommitID ]]&" + args,
+                method: "post",
+                data: {sql: userSQL},
+                headers: {'Content-Type': 'application/json'}
+            }).then(
                 function success(response) {
                     $scope.statusMessageColour = "green";
                     $scope.statusMessage = nowString() + "Visualisation '" + name + "' saved";

webui/types.go

@@ -27,3 +27,12 @@ type UpdateDataRequest struct {
 	Table string                 `json:"table"`
 	Data  []UpdateDataRequestRow `json:"data"`
 }
+
+type ExecuteSqlRequest struct {
+	Sql string `json:"sql"`
+}
+
+type SaveSqlRequest struct {
+	Sql     string `json:"sql"`
+	SqlName string `json:"sql_name"`
+}