55
66<overview >
77<p >
8- Code that constructs a string containing a quoted substring needs to ensure that any user-provided
9- data embedded in between the quotes does not itself contain a quote. Otherwise the embedded data
10- could (accidentally or intentionally) change the structure of the overall string by terminating
11- the quoted substring early , with potentially severe consequences. If, for example, the string is
12- later interpreted as an operating-system command or database query, a malicious attacker may be
13- able to craft input data that enables a command injection or SQL injection attack .
8+ Code that constructs a quoted string literal containing user-provided data needs to ensure that
9+ this data does not itself contain a quote. Otherwise the embedded data could (accidentally or
10+ intentionally) terminate the string literal early and thereby change the structure of the overall
11+ string , with potentially severe consequences. If, for example, the string is later used as
12+ part of an operating-system command or database query, an attacker may be able to craft input data
13+ that injects a malicious command .
1414</p >
1515</overview >
1616
1717<recommendation >
1818<p >
1919Sanitize the embedded data appropriately to ensure quotes are escaped, or use an API that does
20- not rely on manually constructing quoted substrings.
20+ not rely on manually constructing quoted substrings. Make sure to use the appropriate escaping
21+ mechanism, for example, double quoting for SQL strings or backslash escaping for shell commands.
22+ When using backslash escaping, the backslash character itself must also be escaped.
2123</p >
2224</recommendation >
2325
@@ -29,17 +31,38 @@ then embeds it into a SQL query built using the Squirrel library.
2931</p >
3032<sample src =" StringBreak.go"
3133<p >
32- Note that while Squirrel provides a structured API for building SQL queries that mitigates against
33- common causes of SQL injection vulnerabilities, this code is still vulnerable: if the JSON-encoded
34- representation of <code >version</code > contains a single quote, this will prematurely close the
35- surrounding string, changing the structure of the SQL expression being constructed. This could be
36- exploited to mount a SQL injection attack.
34+ Note that JSON encoding does not escape single quotes in any way, so this code is vulnerable: any
35+ single-quote character in <code >version</code > will prematurely close the surrounding string literal,
36+ changing the structure of the SQL expression being constructed. This could be exploited to mount
37+ a SQL injection attack.
3738</p >
3839<p >
39- To fix this vulnerability, use Squirrel's placeholder syntax, which avoids the need to explicitly
40- construct a quoted string.
40+ To fix this vulnerability, use the placeholder syntax from Squirrel's structured API for building
41+ queries, which avoids the need to explicitly construct a quoted string.
4142</p >
4243<sample src =" StringBreakGood.go"
44+ <p >
45+ In situations where a structured API is not available, make sure that you escape quotes before embedding
46+ user-provided data into a quoted string. For example, this is how you can backslash-escape single
47+ quotes using <code >strings.ReplaceAll</code >:
48+ </p >
49+ <sample language =" go"
50+ quoted := strings.ReplaceAll(raw, `\`, `\\`)
51+ quoted = strings.ReplaceAll(quoted, "'", "\\'")
52+ </sample >
53+ <p >
54+ Note that any existing backslash characters in the string must be escaped first, so that they do
55+ not interfere with the escaping of single quotes.
56+ </p >
57+ <p >
58+ In some cases, <code >strconv.Quote</code > is a convenient option for backslash escaping, but note
59+ that it has two limitations:
60+ </p >
61+ <ol >
62+ <li >It only supports double quotes, not single quotes (as in the example).</li >
63+ <li >It puts quotes around the entire string, so it can only be used to construct complete string
64+ literals, not parts of larger string literals.</li >
65+ </ol >
4366</example >
4467
4568<references >
0 commit comments