removed fmt strings and replaced with inline SQL | added unit tests

imthaghost · imthaghost · commit 32f0cf1aebd4 · 2022-01-26T12:24:53.000-08:00
diff --git a/plugins/database/mssql/mssql.go b/plugins/database/mssql/mssql.go
@@ -5,13 +5,14 @@ import (
 	"database/sql"
 	"errors"
 	"fmt"
-	"strconv"
 	"strings"
 
 	_ "github.com/denisenkom/go-mssqldb"
-	multierror "github.com/hashicorp/go-multierror"
+	"github.com/hashicorp/go-multierror"
+	"github.com/hashicorp/go-secure-stdlib/parseutil"
 	"github.com/hashicorp/go-secure-stdlib/strutil"
-	dbplugin "github.com/hashicorp/vault/sdk/database/dbplugin/v5"
+
+	"github.com/hashicorp/vault/sdk/database/dbplugin/v5"
 	"github.com/hashicorp/vault/sdk/database/helper/connutil"
 	"github.com/hashicorp/vault/sdk/database/helper/dbutil"
 	"github.com/hashicorp/vault/sdk/helper/dbtxn"
@@ -98,20 +99,14 @@ func (m *MSSQL) Initialize(ctx context.Context, req dbplugin.InitializeRequest)
 		return dbplugin.InitializeResponse{}, fmt.Errorf("invalid username template - did you reference a field that isn't available? : %w", err)
 	}
 
-	containedDB := false
-	containedDBRaw, err := strutil.GetString(req.Config, "contained_db")
-	if err != nil {
-		return dbplugin.InitializeResponse{}, fmt.Errorf("failed to retrieve contained_db: %w", err)
-	}
-	if containedDBRaw != "" {
-		containedDB, err = strconv.ParseBool(containedDBRaw)
+	if v, ok := req.Config["contained_db"]; ok {
+		containedDB, err := parseutil.ParseBool(v)
 		if err != nil {
-			return dbplugin.InitializeResponse{}, fmt.Errorf("parsing error: incorrect boolean operator provided for contained_db: %w", err)
+			return dbplugin.InitializeResponse{}, fmt.Errorf(`invalid value for "contained_db": %w`, err)
 		}
+		m.containedDB = containedDB
 	}
 
-	m.containedDB = containedDB
-
 	resp := dbplugin.InitializeResponse{
 		Config: newConf,
 	}
@@ -221,24 +216,32 @@ func (m *MSSQL) revokeUserDefault(ctx context.Context, username string) error {
 
 	// Check if DB is contained
 	if m.containedDB {
-		revokeStmt, err := db.PrepareContext(ctx, fmt.Sprintf("DROP USER IF EXISTS [%s]", username))
+		revokeQuery :=
+			`DECLARE @stmt nvarchar(max);
+			SET @stmt = 'DROP USER IF EXISTS ' + QuoteName(@username);
+			EXEC(@stmt);`
+		revokeStmt, err := db.PrepareContext(ctx, revokeQuery)
 		if err != nil {
 			return err
 		}
 		defer revokeStmt.Close()
-		if _, err := revokeStmt.ExecContext(ctx); err != nil {
+		if _, err := revokeStmt.ExecContext(ctx, sql.Named("username", username)); err != nil {
 			return err
 		}
 		return nil
 	}
 
 	// First disable server login
-	disableStmt, err := db.PrepareContext(ctx, fmt.Sprintf("ALTER LOGIN [%s] DISABLE;", username))
-	if err != nil {
+	disableQuery :=
+		`DECLARE @stmt nvarchar(max);
+		SET @stmt = 'ALTER LOGIN ' + QuoteName(@username) + ' DISABLE';
+		EXEC(@stmt);`
+	disableStmt, err := db.PrepareContext(ctx, disableQuery)
+	if err != nil{
 		return err
 	}
 	defer disableStmt.Close()
-	if _, err := disableStmt.ExecContext(ctx); err != nil {
+	if _, err := disableStmt.ExecContext(ctx, sql.Named("username", username)); err != nil {
 		return err
 	}
 
@@ -316,12 +319,12 @@ func (m *MSSQL) revokeUserDefault(ctx context.Context, username string) error {
 	}
 
 	// Drop this login
-	stmt, err = db.PrepareContext(ctx, fmt.Sprintf(dropLoginSQL, username, username))
+	stmt, err = db.PrepareContext(ctx, dropLoginSQL)
 	if err != nil {
 		return err
 	}
 	defer stmt.Close()
-	if _, err := stmt.ExecContext(ctx); err != nil {
+	if _, err := stmt.ExecContext(ctx, sql.Named("username", username)); err != nil {
 		return err
 	}
 
@@ -418,14 +421,12 @@ END
 `
 
 const dropLoginSQL = `
-IF EXISTS
-  (SELECT name
-   FROM master.sys.server_principals
-   WHERE name = N'%s')
-BEGIN
-  DROP LOGIN [%s]
-END
-`
+DECLARE @stmt nvarchar(max)
+SET @stmt = 'IF EXISTS (SELECT name FROM [master].[sys].[server_principals] WHERE [name] = ' + QuoteName(@username, '''') + ') ' +
+	'BEGIN ' +
+		'DROP LOGIN ' + QuoteName(@username) + ' ' +
+	'END'
+EXEC (@stmt)`
 
 const alterLoginSQL = `
 ALTER LOGIN [{{username}}] WITH PASSWORD = '{{password}}' 
diff --git a/plugins/database/mssql/mssql_test.go b/plugins/database/mssql/mssql_test.go
@@ -11,9 +11,10 @@ import (
 	"time"
 
 	mssqlhelper "github.com/hashicorp/vault/helper/testhelpers/mssql"
-	dbplugin "github.com/hashicorp/vault/sdk/database/dbplugin/v5"
+	"github.com/hashicorp/vault/sdk/database/dbplugin/v5"
 	dbtesting "github.com/hashicorp/vault/sdk/database/dbplugin/v5/testing"
 	"github.com/hashicorp/vault/sdk/helper/dbtxn"
+	"github.com/stretchr/testify/assert"
 )
 
 func TestInitialize(t *testing.T) {
@@ -43,6 +44,15 @@ func TestInitialize(t *testing.T) {
 			},
 		},
 		"contained_db set": {
+			dbplugin.InitializeRequest{
+				Config: map[string]interface{}{
+					"connection_url": connURL,
+					"contained_db":   true,
+				},
+				VerifyConnection: true,
+			},
+		},
+		"contained_db set string": {
 			dbplugin.InitializeRequest{
 				Config: map[string]interface{}{
 					"connection_url": connURL,
@@ -253,7 +263,10 @@ func TestUpdateUser_password(t *testing.T) {
 			dbtesting.AssertInitializeCircleCiTest(t, db, initReq)
 			defer dbtesting.AssertClose(t, db)
 
-			createTestMSSQLUser(t, connURL, dbUser, initPassword, testMSSQLLogin)
+			err := createTestMSSQLUser(connURL, dbUser, initPassword, testMSSQLLogin)
+			if err != nil {
+				t.Fatalf("Failed to create user: %s", err)
+			}
 
 			assertCredsExist(t, connURL, dbUser, initPassword)
 
@@ -317,7 +330,10 @@ func TestDeleteUser(t *testing.T) {
 	dbtesting.AssertInitializeCircleCiTest(t, db, initReq)
 	defer dbtesting.AssertClose(t, db)
 
-	createTestMSSQLUser(t, connURL, dbUser, initPassword, testMSSQLLogin)
+	err := createTestMSSQLUser(connURL, dbUser, initPassword, testMSSQLLogin)
+	if err != nil {
+		t.Fatalf("Failed to create user: %s", err)
+	}
 
 	assertCredsExist(t, connURL, dbUser, initPassword)
 
@@ -341,6 +357,44 @@ func TestDeleteUser(t *testing.T) {
 	assertCredsDoNotExist(t, connURL, dbUser, initPassword)
 }
 
+func TestSQLSanitization(t *testing.T) {
+	cleanup, connURL := mssqlhelper.PrepareMSSQLTestContainer(t)
+	defer cleanup()
+
+	injectionString := "vaultuser]"
+	dbUser := "vaultuser"
+	initPassword := "p4$sw0rd"
+
+	initReq := dbplugin.InitializeRequest{
+		Config: map[string]interface{}{
+			"connection_url": connURL,
+		},
+		VerifyConnection: true,
+	}
+
+	db := new()
+
+	dbtesting.AssertInitializeCircleCiTest(t, db, initReq)
+	defer dbtesting.AssertClose(t, db)
+
+	err := createTestMSSQLUser(connURL, dbUser, initPassword, testMSSQLLogin)
+	if err != nil {
+		t.Fatalf("Failed to create user: %s", err)
+	}
+
+	assertCredsExist(t, connURL, dbUser, initPassword)
+
+	deleteReq := dbplugin.DeleteUserRequest{
+		Username: injectionString,
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+	_, err = db.DeleteUser(ctx, deleteReq)
+
+	assert.EqualError(t, err, "mssql: Cannot alter the login 'vaultuser]', because it does not exist or you do not have permission.")
+}
+
 func assertCredsExist(t testing.TB, connURL, username, password string) {
 	t.Helper()
 	err := testCredsExist(connURL, username, password)
@@ -369,18 +423,18 @@ func testCredsExist(connURL, username, password string) error {
 	return db.Ping()
 }
 
-func createTestMSSQLUser(t *testing.T, connURL string, username, password, query string) {
+func createTestMSSQLUser(connURL string, username, password, query string) error {
 	db, err := sql.Open("mssql", connURL)
 	defer db.Close()
 	if err != nil {
-		t.Fatal(err)
+		return err
 	}
 
 	// Start a transaction
 	ctx := context.Background()
 	tx, err := db.BeginTx(ctx, nil)
 	if err != nil {
-		t.Fatal(err)
+		return err
 	}
 	defer func() {
 		_ = tx.Rollback()
@@ -391,24 +445,20 @@ func createTestMSSQLUser(t *testing.T, connURL string, username, password, query
 		"password": password,
 	}
 	if err := dbtxn.ExecuteTxQuery(ctx, tx, m, query); err != nil {
-		t.Fatal(err)
+		return err
 	}
 	// Commit the transaction
 	if err := tx.Commit(); err != nil {
-		t.Fatal(err)
+		return err
 	}
+	return nil
 }
 
 const testMSSQLRole = `
 CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';
 CREATE USER [{{name}}] FOR LOGIN [{{name}}];
 GRANT SELECT, INSERT, UPDATE, DELETE ON SCHEMA::dbo TO [{{name}}];`
 
-const testMSSQLDrop = `
-DROP USER [{{name}}];
-DROP LOGIN [{{name}}];
-`
-
 const testMSSQLLogin = `
 CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';
 `
