SQL Injection

[WindowsNT]

Are the filters configured to detect a SQL injection attempt?

I passed

anything' OR '1'='1

to one form and it didn't detect it.

[quantumpacket]

Yes, it should detect SQLi as per filter_rules.json#L517-L529. If not, then the filter may have gotten broken. I had opened #58 in hopes of having better quality checks on new/old/modified rules.

[tranba]

Because this rule does not include ' char?

[quantumpacket]

@tranba quotes are normalized here src/Expose/Converter/ConvertMisc.php#L80-L94 if that is not done then the patterns would be overly complex with having to match each and every variation of quote use.

[tranba]

@quantumpacket I've found a problem in the run function:

expose/src/Expose/Manager.php

Lines 125 to 129 in 07ee1eb

	foreach ($data as $key => $datum){
	if (!is_array($datum)){
	$data[$key] = $converter->runAllConversions($data[$key]);
	}
	}

Convert only apply to the first level of data array, then for example
$data = array(
'POST' = array('dirty' => " a ' or 1 = 1")
)
will bypass

[quantumpacket]

@enygma Have not tested the below, but would using array_walk_recursive() suffice for the above? We may want to also check that recursion is being done in other areas as well.
[ DEMO ]

src/Expose/Manager.php

        // try to clean up standard filter bypass methods
        array_walk_recursive($data, [new \Expose\Converter\Converter, 'runAllConversions']);

        $path = array();
        // ...

src/Expose/Converter/Converter.php

    public function runAllConversions(&$value)
    {
        // ...
        // return $value;

Might I suggest running the rules against https://github.com/minimaxir/big-list-of-naughty-strings as part of the unit tests?

Also on a side-note, would you be interested in a Python3 port of Expose?

[yehgdotnet]

Seems anything' OR '1'='1 doesn't match with rules

Below are matched:

a' or 1=1;#
a' or 1=1;--

[quantumpacket]

@yehgdotnet what was the downvote for? Did the code not work or is the rule itself broken?

[yehgdotnet]

@yehgdotnet what was the downvote for? Did the code not work or is the rule itself broken?

wrong click, was too sleepy, cheers