Bug 6203 – audit record not inserted for RSL argument containing single quotes

Bug 6203 - audit record not inserted for RSL argument containing single quotes

Summary:

audit record not inserted for RSL argument containing single quotes

Status:	RESOLVED FIXED

Product:	GRAM
Component:	wsrf managed execution job service
Version:	4.0.7
Platform:	Macintosh All

Importance:	P3 normal
Target Milestone:	---
Assigned To:	Martin Feller

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2008-07-02 09:11 by Stuart Martin
Modified:	2009-01-08 14:01 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Stuart Martin 2008-07-02 09:11:54

Begin forwarded message:

From: Yuriy <yuriy.halytskyy@gmail.com>
Date: July 1, 2008 11:28:42 PM CDT
To: gt-user <gt-user@globus.org>
Subject: [gt-user] Problem with GRAM Audit database

Hi, 

GRAM audit database is not updated when an RSL for the job contains
fields with single quotes. Is it a bug in GRAM or am I missing
something?
For example the following script creates record in audit:

<job>
<executable>/bin/echo</executable> 
<directory>/home/grid-bestgrid</directory>
<argument>a</argument> 
<jobType>single</jobType> 
</job>

And the following does not:

<job>
<executable>/bin/echo</executable> 
<directory>/home/grid-bestgrid</directory>
<argument>'a'</argument> 
<jobType>single</jobType> 
</job>

Both jobs execute successfully. 
We use globus from VDT 1.10.

Regards,
Yuriy

------- Comment #1 From Jim Basney 2008-07-02 09:26:47 -------

Is this a sign that database input is not being properly sanitized?  Is there
an SQL injection vulnerability?

------- Comment #2 From Stuart Martin 2008-09-16 17:32:18 -------

Hi Jim,

Can you give an example for sanitizing DB input values and an SQL injection
vulnerability?

Thanks,
Stu

------- Comment #3 From Jim Basney 2008-09-16 18:08:32 -------

http://en.wikipedia.org/wiki/Sql_injection

------- Comment #4 From Martin Feller 2008-09-17 18:13:28 -------

Yes, is seems that database input is not being properly sanitized, and yes,
there seems to be an SQL injection vulnerability.
Yuriy should have seen an exception in the container logfile indicating that
something went wrong when trying to upload an audit record into the database.

In 4.0.x audit logging single quotes in a job description cause problems,
because the SQL string is created manually and looks like

   INSERT INTO gram_audit_table (job_grid_id, local_job_id, ...)
   values (...,'feller','a4171c1e-850a-11dd-a8d4-0013d4c3b957', ...);

Any non-escaped single quote destroys the intended syntax here, and currently
they are not escaped in 4.0.x.

4.2.x is not effected as we handle database upload differently.
I'll prepare a patch for this.

------- Comment #5 From Martin Feller 2008-09-18 10:33:17 -------

Fix committed to 4.0 branch. The fix is to escape single quotes.
Let me know if anyone would like to have a patch.

------- Comment #6 From Martin Feller 2009-01-08 14:01:27 -------

fix will be in 4.0.9