Sql-server – Security Risks with having Test Stored Procedures that have SQL Injection Vulnerability

Securitysql serversql-injection

I noticed that some of the stored procedures used in our integration tests for data generation have SQL injection vulnerabilities. These procedures are taking into string parameters to build a SQL string and executing it. However, these procedures are only ever used for testing.

At first, I thought it was a big issue. However, if these procedures aren't accessible to the public, maybe it's not a problem. But I could be missing something. Are there any potential issues with this setup and my assumptions?

Some possible issues I could think of:

1) Test database somehow has access to a non-test database

2) Accidental procedure copying to a non-test database

3) People might see the procedure and think it's good practice

Though 1 & 2 still wouldn't be accessible.

Best Answer

One of the biggest IT security misconceptions people have is that there is little or no risk if the system is not public-facing. There is certainly less risk, but there is still a huge amount of risk because many breaches are coming from within the attacked network.

Assume that your network is infiltrated by a hacker by gaining remote access to a workstation. From this workstation, they can then launch attacks on all of your systems, not just the public-facing ones. All of the millions of phishing attempts that are made each day would not be occurring unless some of them were successful, so you have to acknowledge that this type of infiltration does happen, and could happen on your network.

If a hacker were to discover this stored procedure, they could then add objects to the test server, which could possibly end up being promoted to the production server. You have to assume that once you have bad code somewhere that it can spread. The fact that there is a SQL injection vulnerability seems to indicate that your developers are not as concerned about security as maybe they should be.

How much damage could be done and how easily would depend on how many other security vulnerabilities exist. It's certainly unlikely that a hacker would be able to find this stored procedure, but it's certainly possible if they are sniffing network traffic and your client connections are not encrypted. And how secure are the servers that are calling this stored procedure? You have to assume that the test code could be decompiled, which would allow someone to discover it and how it's used.

Another misconception is, "there's nothing important on this server." That may be true, but it could be used as a bridge to servers that do have something important. The current line of thought is that your network will be breached and there will be damage, so every system has to be locked down as much as possible to minimize the damage.

And as you mentioned, a less-seasoned developer might see this and think it's an acceptable practice, and then some emergency code that is not properly reviewed ends up in production. So it certainly can be seen as setting a bad precedent.

Related Solutions

PostgreSQL – Do Stored Procedures Prevent SQL Injection?

No, stored procedures do not prevent SQL injection. Here's an actual example (from an in-house app someone created where I work) of a stored procedure that unfortunately permits SQL injection:

This sql server code:

CREATE PROCEDURE [dbo].[sp_colunmName2]   
    @columnName as nvarchar(30),
    @type as nvarchar(30), 
    @searchText as nvarchar(30)           
AS
BEGIN
    DECLARE @SQLStatement NVARCHAR(4000)
    BEGIN
        SELECT @SQLStatement = 'select * from Stations where ' 
            + @columnName + ' ' + @type + ' ' + '''' + @searchText + '''' 
        EXEC(@SQLStatement)
    END      
END
GO

roughly equivalent to postgres:

CREATE or replace FUNCTION public.sp_colunmName2 (
    columnName  varchar(30),
    type varchar(30), 
    searchText  varchar(30) ) RETURNS SETOF stations LANGUAGE plpgsql            
AS
$$
DECLARE SQLStatement VARCHAR(4000);
BEGIN
    SQLStatement = 'select * from Stations where ' 
            || columnName || ' ' || type || ' ' || ''''|| searchText || '''';
    RETURN QUERY EXECUTE  SQLStatement;
END
$$;

The developer's idea was to create a versatile search procedure, but the result is that the WHERE clause can contain anything the user wants, allowing a visit from little Bobby Tables.

Whether you use SQL statements or stored procedure doesn't matter. What matters is whether your SQL uses parameters or concatenated strings. Parameters prevent SQL injection; concatenated strings allow SQL injection.

Sql-server – How to separate Stored Procedures (i.e. all the business logic) from Client Database so that it only contains client data

I do not think that your requirements are complete as there are reasons that your prior attempts did not work that are not reflected in the stated Requirements. You mentioned in attempted solution #1 that you need to be able to debug the code / know what version it is, and the client needs to be able to replicate the code. Are these two issues current requirements?

If the need for replication is still a requirement, then that conflicts with the requirement to be "compiled (secured)".

I will assume that the client's server is something they have full sa access to such that DENYing the VIEW ANY DEFINITION permission is not a viable approach.

One thing to try is taking the T-SQL of your Stored Procedures and encapsulating each one, unchanged, into CLR Stored Procedures. You would place one or more related Stored Procedures into an Assembly. Here are some thoughts about this:

Assemblies conveniently have a version number that can be seen in the sys.assemblies catalog view, SSMS (right-click on the Assembly to view the Properties), and the ASSEMBLYPROPERTY function.
You probably don't want to put all of the Stored Procedures into a single Assembly, but you also don't want to have one Assembly per Stored Procedure. You can have one class file per Stored Procedure and several of those included in a single Assembly.
All of the Assemblies should use WITH PERMISSION_SET = SAFE
The only code in each CLR Stored Procedure would be:
- Create a SqlCommand with a CommandType of CommandType.Text and CommandText set to the current T-SQL Stored Procedure content
- No SqlConnection should be needed (if it is, then it is just "context connection=true")
- Map the SqlParameterCollection of the SqlCommand to the input parameters of the CLR Stored Procedure
- Call SqlContext.Pipe.ExecuteAndSend(_YourSqlCommand);
The Assembly and related Stored Procedures would be loaded into each Client DB
CLR Stored Procedures are not able to be replicated, but that could probably be worked around

Best Answer

Related Solutions

PostgreSQL – Do Stored Procedures Prevent SQL Injection?

Sql-server – How to separate Stored Procedures (i.e. all the business logic) from Client Database so that it only contains client data

Related Question