[POLL] Escaping behaviour in SQL/LDAP/regexes
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Mon Mar 10 17:13:46 UTC 2025
For FreeRADIUS v4 we have a new method of automatically escaping values used in various DSLs (Domain Specific Languages) like SQL, LDAP and regular expressions.
We'd appreciate it if FreeRADIUS users could look over the policy snippets below and indicate what you expect the SQL statement to be _as executed_ (not the result of evaluating the statement).
Assume the value of User-Name is: Bob'; DROP TABLE users;--
Possible answers:
a) SELECT * FROM my-table WHERE Service-Type = 'Framed-User' AND User-Name = 'Bob'; DROP TABLE users;--'
b) SELECT * FROM my-table WHERE Service-Type = \'Framed-User\' AND User-Name = 'Bob\'; DROP TABLE users;--'
c) SELECT * FROM my-table WHERE Service-Type = 'Framed-User' AND User-Name = 'Bob\'; DROP TABLE users;--'
d) Other. Please write expected, expanded, SQL statement.
Do not return to previous statements and alter answers. The purpose of this poll is to determine what user's expect behaviour to be, prior to seeing example code or reading documentation.
1)
recv authorize {
string sql_condition
sql_condition = "Service-Type = 'Framed-User'"
%sql.query("SELECT * FROM my-table WHERE %{sql_condition} AND User-Name = '%{User-Name}'")
}
2)
recv authorize {
string sql_condition
sql_condition = %sql.safe("Service-Type = 'Framed-User'")
%sql.query("SELECT * FROM my-table WHERE %{sql_condition} AND User-Name = '%{User-Name}'")
}
3)
recv authorize {
string sql_condition
sql_condition = "Service-Type = 'Framed-User'"
%sql.query("SELECT * FROM my-table WHERE %sql.safe(%{sql_condition}) AND User-Name = '%{User-Name}'")
}
4)
recv authorize {
string sql_condition
sql_condition = "Service-Type = 'Framed-User'"
%sql.query("SELECT * FROM my-table WHERE %sql.safe(%{sql_condition}) AND User-Name = '%sql.safe(%{User-Name})'")
}
Other FreeRADIUS developers please refrain from responding until the 14th of March (when we'll tally results).
Many Thanks,
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
More information about the Freeradius-Users
mailing list