Peter Vazny Posted March 31, 2021 Share Posted March 31, 2021 We have a need to supply multiple names when a report is called via REST API. The number of names varies. It usually is just one but could go up to 8 or more. I found references to supplying Name1' OR 'Name2, but this does not seem to work because InfoAssist uses QUOTEDSTRING for any parameter in the filter. If I manually edit the fex and remove QUOTEDSTRING it works, but as soon as somebody opens the report in InfoAssist, it breaks. Link to comment Share on other sites More sharing options...
Peter Vazny Posted March 31, 2021 Author Share Posted March 31, 2021 Well ok, it is possible via In list filter. Funny thing is that it allows for code injection. 'Joe Shmoe'); WHERE SOMEOTHERFIELD IN ('Something', 'Other' Who knows where this can be taken Link to comment Share on other sites More sharing options...
Warren Hinchliffe Posted April 1, 2021 Share Posted April 1, 2021 Here is a bit of a hack At the effective code will be something like FIELD EQ &VAR.QUOTEDSTRING, you can be sure that quotes will be added. &VAR = VAL WHERE MYFIELD EQ VAL If there are multiple values it would look like this &VAR = VAL OR VAL2 OR VAL3 WHERE MYFIELD EQ VAL OR VAL2 OR VAL3 The simple solution is to remove the first and last quotes. &VAR = VAL OR VAL2 OR 'VAL3 WHERE MYFIELD EQ VAL OR VAL2 OR VAL3 As this is a REST API call, I would hope this is possible. Link to comment Share on other sites More sharing options...
Peter Vazny Posted April 1, 2021 Author Share Posted April 1, 2021 I believe that QUOTEDSTRING escapes all single quotes by doubling them. So the end result of &VAR = VAL OR VAL2 OR 'VAL3 would be WHERE MYFIELD EQ ''VAL'''' OR ''''VAL2'''' OR ''''VAL3'' I tested variations of this via the API and the result is the same. I believe that QUOTEDSTRING is there to prevent code injection, besides other things and that is exactly what this hack uses. It looks like there really isnt a good and secure solution. Link to comment Share on other sites More sharing options...
Todd Van Valkenburg Posted April 1, 2021 Share Posted April 1, 2021 And another hack. I have seen this behavior as well when an HTML page via a Portal runs a fex. To get around this behavior, I updated the fex WHERE clause to be an OR. Something like WHERE define_var EQ &prompt_var.(OR(<A,A>,<B,B>)).Prompt goes here:.; Then re-opening the fex in IA does not add the .QUOTEDSTRING which breaks the report (when run via the portal). Todd Link to comment Share on other sites More sharing options...
David Beagan Posted April 1, 2021 Share Posted April 1, 2021 I experimented with ibisamp/ggsales passing multiple region values to an InfoAssis report. I used the in list which can work, as you pointed out, but has the code injection problem. To deal with this code injection, I added the following DEFINE FILE: OK/I1 = IF ®ION.QUOTEDSTRING CONTAINS '(' THEN 0 ELSE 1; And then create a WHERE statement: WHERE OK EQ 1; This assumes that the injection attack would contain the character (. Could allow for protection against other characters as necessary. Link to comment Share on other sites More sharing options...
Warren Hinchliffe Posted April 5, 2021 Share Posted April 5, 2021 The double quotes were just for a -SET command to assign the string to the variable. The variable should contains VAL OR VAL2 OR VAL3 I have done this before and it works. Link to comment Share on other sites More sharing options...
Peter Vazny Posted April 9, 2021 Author Share Posted April 9, 2021 This works in that the report will not display anything if the input field contains open parentheses, but the code still executes in the background. I did some testing and I was not able to inject anything beyond additional where statements, but I am not by any means an experienced user. So proceed with caution. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now