Re: [sqlite] Coding standard

2019-12-12 Thread Scott Robison
On Thu, Dec 12, 2019, 11:04 PM Valentin Davydov wrote: > On Thu, Dec 12, 2019 at 11:19:44AM -0500, Richard Hipp wrote: > > > > #define sqlite3Strlen30NN(C) (strlen(C)&0x3fff) > > > > The tool does not provide any details beyond "Use of strlen". > > So why not just #define

Re: [sqlite] Coding standard

2019-12-12 Thread Valentin Davydov
On Thu, Dec 12, 2019 at 11:19:44AM -0500, Richard Hipp wrote: > > #define sqlite3Strlen30NN(C) (strlen(C)&0x3fff) > > The tool does not provide any details beyond "Use of strlen". So why not just #define sqlite3Strlen30NN(C) (strnlen(C,0x3fff)) ? From the point of view of program

Re: [sqlite] Securing user supplied SQL statements in a single process

2019-12-12 Thread Mike King
Now, just for giggles here's the regex. It's for a simple SQL like Where clause query language. Hopefully it makes sense :) According to my work colleagues I am considered weird for enjoying writing a regex and they're certainly more fun than waiting for the election result ;) (This was for a

Re: [sqlite] Securing user supplied SQL statements in a single process

2019-12-12 Thread Mike King
It was a very simple cutdown SQL (think just a where clause) and the regex was a multiline affair which picked out tokens using named groups. I then had a function that skipped whitespace tokens and returned the next token (group name) and the value (parsed and validated for dates and numeric

Re: [sqlite] Securing user supplied SQL statements in a single process

2019-12-12 Thread Richard Hipp
On 12/12/19, Warren Young wrote: > On Dec 12, 2019, at 6:08 AM, Mike King wrote: >> >> ...I decided on a simple subset of >> SQL and then wrote a parser using a regex as the tokeniser. > > First, [SQL is not a regular language][1], so it probably cannot be > completely parsed by regexes. Not by

Re: [sqlite] Securing user supplied SQL statements in a single process

2019-12-12 Thread Warren Young
On Dec 12, 2019, at 6:08 AM, Mike King wrote: > > ...I decided on a simple subset of > SQL and then wrote a parser using a regex as the tokeniser. First, [SQL is not a regular language][1], so it probably cannot be completely parsed by regexes. Not by a single regex without surrounding logic,

Re: [sqlite] Coding standard

2019-12-12 Thread Richard Hipp
On 12/12/19, Warren Young wrote: > >> AND only if the struct is then copied to a separate trust domain. > > You mean like in copying from kernel space to user space? Or old-style RPC? > Or mmap() based IPC APIs? Or…? > > I wouldn’t dismiss this warning. Copying from kernel-space to user-space

Re: [sqlite] Coding standard

2019-12-12 Thread Warren Young
On Dec 12, 2019, at 12:12 PM, Jens Alfke wrote: > > On Dec 12, 2019, at 10:36 AM, Simon Slavin wrote: >> >> For instance CodeSonar reports every use of memset() because you /can/ leak >> uninitialised bits of memory using memset() > > ...by writing to a field of a struct AFTER zeroing the

Re: [sqlite] Coding standard

2019-12-12 Thread Jens Alfke
> On Dec 12, 2019, at 10:36 AM, Simon Slavin wrote: > > For instance CodeSonar reports every use of memset() because you /can/ leak > uninitialised bits of memory using memset() (CERT C Section 3.6 DCL39-C). > But it has no way to check whether what you're doing with memset() does >

Re: [sqlite] sqlite sync over network

2019-12-12 Thread Jens Alfke
> On Dec 9, 2019, at 7:43 AM, George wrote: > > (litesync - SQLite Replication and Synchronization) > litesync seems to be a version of sqlite made by Ramos Bernardo from Brazil. Interesting, but I don't see how they can make those kinds of claims without running into conflicts on primary

Re: [sqlite] Coding standard

2019-12-12 Thread Simon Slavin
Thanks for the details. Now we know what you're doing. CodeSonar checks code for many possible faults. This includes many things which are not related to the CERT C Coding Standard guidelines. So not everything on the report is a violation of the standard. You're really asking something

Re: [sqlite] Coding standard

2019-12-12 Thread Richard Hipp
On 12/12/19, Arthur Blondel wrote: > I'm using amalgamation version 3.30.1. and check with CodeSonar I've never heard of CodeSonar before. It appears to be some kind of static analysis tool that reads the source code and tries to infer potential problems. These tools are usually pretty weak,

Re: [sqlite] Coding standard

2019-12-12 Thread Richard Hipp
Also, please send the specific version number (the HASH) of the SQLite you are testing, so that the line numbers in the report will align with the code that I will be looking at. On 12/12/19, Arthur Blondel wrote: > -- Forwarded message - > From: Arthur Blondel > Date: Thu, Dec

Re: [sqlite] Securing user supplied SQL statements in a single process

2019-12-12 Thread Mike King
I had to do something similar. I’m the end I decided on a simple subset of SQL and then wrote a parser using a regex as the tokeniser. The output was SQL. By doing it this way I could validate field names and make sure all values were correctly formatted and escaped. Cheers On Thu, 12 Dec 2019

Re: [sqlite] Securing user supplied SQL statements in a single process

2019-12-12 Thread Richard Hipp
On 12/12/19, test user wrote: > Hello, > > How can I secure user supplied SQL statements in a single process? See https://www.sqlite.org/security.html for an introduction. Other suggestions: (1) Run the process that is evaluating user-supplied SQL in a sandbox, where it can do no harm if it

Re: [sqlite] Securing user supplied SQL statements in a single process

2019-12-12 Thread Dominique Devienne
On Thu, Dec 12, 2019 at 1:47 PM test user wrote: > How can I secure user supplied SQL statements in a single process? > The one mechanism SQLite has is the authorizer [1]. Whether that's good enough for you, that's for you to determine. --DD [1] https://www.sqlite.org/c3ref/set_authorizer.html

[sqlite] Securing user supplied SQL statements in a single process

2019-12-12 Thread test user
Hello, How can I secure user supplied SQL statements in a single process? For example, if I had a public web service that allows users to create their own SQL strings that I then run in a single server process, what are the chances that they would be able to obtain general remote code execution?

Re: [sqlite] Coding standard

2019-12-12 Thread Richard Hipp
On 12/12/19, Arthur Blondel wrote: > I'm using amalgamation version 3.30.1. and check with CodeSonar > Attached the Security issues. This mailing list strips attachments. Please send via private email. -- D. Richard Hipp d...@sqlite.org ___

Re: [sqlite] Coding standard

2019-12-12 Thread Arthur Blondel
I'm using amalgamation version 3.30.1. and check with CodeSonar Attached the Security issues. On Wed, Dec 11, 2019 at 4:57 PM Richard Hipp wrote: > On 12/11/19, Arthur Blondel wrote: > > Hello, > > Running the CERT coding standard > > on