Peter Vazny Posted March 31, 2021 Posted March 31, 2021 We have a need to supply multiple names when a report is called via REST API. The number of names varies. It usually is just one but could go up to 8 or more. I found references to supplying Name1' OR 'Name2, but this does not seem to work because InfoAssist uses QUOTEDSTRING for any parameter in the filter. If I manually edit the fex and remove QUOTEDSTRING it works, but as soon as somebody opens the report in InfoAssist, it breaks.
Peter Vazny Posted March 31, 2021 Author Posted March 31, 2021 Well ok, it is possible via In list filter. Funny thing is that it allows for code injection. 'Joe Shmoe'); WHERE SOMEOTHERFIELD IN ('Something', 'Other' Who knows where this can be taken
Warren Hinchliffe Posted April 1, 2021 Posted April 1, 2021 Here is a bit of a hack At the effective code will be something like FIELD EQ &VAR.QUOTEDSTRING, you can be sure that quotes will be added. &VAR = VAL WHERE MYFIELD EQ VAL If there are multiple values it would look like this &VAR = VAL OR VAL2 OR VAL3 WHERE MYFIELD EQ VAL OR VAL2 OR VAL3 The simple solution is to remove the first and last quotes. &VAR = VAL OR VAL2 OR 'VAL3 WHERE MYFIELD EQ VAL OR VAL2 OR VAL3 As this is a REST API call, I would hope this is possible.
Peter Vazny Posted April 1, 2021 Author Posted April 1, 2021 I believe that QUOTEDSTRING escapes all single quotes by doubling them. So the end result of &VAR = VAL OR VAL2 OR 'VAL3 would be WHERE MYFIELD EQ ''VAL'''' OR ''''VAL2'''' OR ''''VAL3'' I tested variations of this via the API and the result is the same. I believe that QUOTEDSTRING is there to prevent code injection, besides other things and that is exactly what this hack uses. It looks like there really isnt a good and secure solution.
Todd Van Valkenburg Posted April 1, 2021 Posted April 1, 2021 And another hack. I have seen this behavior as well when an HTML page via a Portal runs a fex. To get around this behavior, I updated the fex WHERE clause to be an OR. Something like WHERE define_var EQ &prompt_var.(OR(<A,A>,<B,B>)).Prompt goes here:.; Then re-opening the fex in IA does not add the .QUOTEDSTRING which breaks the report (when run via the portal). Todd
David Beagan Posted April 1, 2021 Posted April 1, 2021 I experimented with ibisamp/ggsales passing multiple region values to an InfoAssis report. I used the in list which can work, as you pointed out, but has the code injection problem. To deal with this code injection, I added the following DEFINE FILE: OK/I1 = IF ®ION.QUOTEDSTRING CONTAINS '(' THEN 0 ELSE 1; And then create a WHERE statement: WHERE OK EQ 1; This assumes that the injection attack would contain the character (. Could allow for protection against other characters as necessary.
Warren Hinchliffe Posted April 5, 2021 Posted April 5, 2021 The double quotes were just for a -SET command to assign the string to the variable. The variable should contains VAL OR VAL2 OR VAL3 I have done this before and it works.
Peter Vazny Posted April 9, 2021 Author Posted April 9, 2021 This works in that the report will not display anything if the input field contains open parentheses, but the code still executes in the background. I did some testing and I was not able to inject anything beyond additional where statements, but I am not by any means an experienced user. So proceed with caution.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now