[OpenSIPS-Users] Potential feature request: OpenSIPS security and concept of tainted variables

Tue, 27 May 2025 03:18:26 -0700 

Hi all
After listening to Sandro's presentation at OpenSIPS Summit, and further to posts I sent on 30 Nov 2023 and 5 Dec 2023 ("Help dropping SQL injection attacks"), it struck me that the OpenSIPS script allows for unsafe variable references by default. 


While extremely powerful, this makes configuration implementations 
susceptible to oversights that result in potential injection 
vulnerabilities.



The Exim project addressed this with the concept of "tainted" variables. 
In essence, by default, it prevents you to passing potentially unsafe 
variables to dangerous functions without first filtering or escapting. 
This may be worth consideration as a security feature in future versions 
of OpenSIPS.



It may also be worth considering escaping certain variables by default 
and aliasing the originals. E.g. Instead of having to explicitly check 
variables as follows:


if ( $fU != $(fU{s.escape.common}) || $tU != $(tU{s.escape.common}) ) {
        xlog ("Rejecting SQL injection attempt received from 
$socket_in(proto):$si:$sp (Method: $rm; From: $fu; To: $tu; Contact: $ct).");
        send_reply (403,"Forbidden");
        exit;
}
if ( $fU != $(fU{s.escape.user}) || $tU != $(tU{s.escape.user}) ) {
        xlog ("Rejecting request with unusual characters received from 
$socket_in(proto):$si:$sp (Method: $rm; From: $fu; To: $tu; Contact: $ct).");
        send_reply (403,"Forbidden");
        exit;
}

if ( $(ct.fields(uri){uri.user}) != 
$(ct.fields(uri){uri.user}{s.escape.common}) ) {
        send_reply (403,"Forbidden");
        exit;
}


There may be something to be said for having variables like $fU, $tU 
escaped by default and adding variables like $unsafe_fU, $unsafe_tU 
contain the original variables. Backwards compatibility could be 
achieved with a core configuration variable to disable this.



Alternatively, as with Exim, if one tries to reference the variables 
within a database function or exec function, regard these variables as 
"tainted" and throw an error if the {s.escape.common} (or similar) isn't 
applied.


Regards

Greg

_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users






















					Reply via email to