Jump to content

Recommended Posts

Posted
We have a need to supply multiple names when a report is called via REST API. The number of names varies. It usually is just one but could go up to 8 or more. I found references to supplying Name1' OR 'Name2, but this does not seem to work because InfoAssist uses QUOTEDSTRING for any parameter in the filter. If I manually edit the fex and remove QUOTEDSTRING it works, but as soon as somebody opens the report in InfoAssist, it breaks.
Posted

Well ok, it is possible via In list filter. Funny thing is that it allows for code injection.

'Joe Shmoe'); WHERE SOMEOTHERFIELD IN ('Something', 'Other'

Who knows where this can be taken

Posted

Here is a bit of a hack

At the effective code will be something like FIELD EQ &VAR.QUOTEDSTRING, you can be sure that quotes will be added.

&VAR = VAL

WHERE MYFIELD EQ VAL

If there are multiple values it would look like this

&VAR = VAL OR VAL2 OR VAL3

WHERE MYFIELD EQ VAL OR VAL2 OR VAL3

The simple solution is to remove the first and last quotes.

&VAR = VAL OR VAL2 OR 'VAL3

WHERE MYFIELD EQ VAL OR VAL2 OR VAL3

As this is a REST API call, I would hope this is possible.

Posted

I believe that QUOTEDSTRING escapes all single quotes by doubling them. So the end result of

&VAR = VAL OR VAL2 OR 'VAL3

would be

WHERE MYFIELD EQ ''VAL'''' OR ''''VAL2'''' OR ''''VAL3''

 

I tested variations of this via the API and the result is the same. I believe that QUOTEDSTRING is there to prevent code injection, besides other things and that is exactly what this hack uses.

It looks like there really isnt a good and secure solution.

Posted

And another hack. I have seen this behavior as well when an HTML page via a Portal runs a fex. To get around this behavior, I updated the fex WHERE clause to be an OR. Something like

WHERE define_var EQ &prompt_var.(OR(<A,A>,<B,B>)).Prompt goes here:.;

Then re-opening the fex in IA does not add the .QUOTEDSTRING which breaks the report (when run via the portal).

Todd

Posted

I experimented with ibisamp/ggsales passing multiple region values to an InfoAssis report. I used the in list which can work, as you pointed out, but has the code injection problem. To deal with this code injection, I added the following DEFINE FILE:

OK/I1 = IF &REGION.QUOTEDSTRING CONTAINS '(' THEN 0 ELSE 1;

 

And then create a WHERE statement:

WHERE OK EQ 1;

 

This assumes that the injection attack would contain the character (. Could allow for protection against other characters as necessary.

Posted
This works in that the report will not display anything if the input field contains open parentheses, but the code still executes in the background. I did some testing and I was not able to inject anything beyond additional where statements, but I am not by any means an experienced user. So proceed with caution.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
  • Create New...