Hi there!
I have the typical advanced SQL with the order by passed with ExpandInline = Yes, where OrderBy parameter is the sort column in table, form example: Id Desc
Now, I have a warning that says:
SQL Injection - When adding an expand inline parameter after a Group By or Order By, make sure to sanitize the parameter value. Otherwise, the action may be vulnerable to SQL injection.
In order to "sanitize the SQL parameters", do it in following best practices, and removing the IDE warning, what would be the best way?
So, how to do it following best practices and removing the warning from Service Studio?
Thanks,
I am not forgetting this post, but it took me a long time to get an official response.
I have been talking with support team, and their answer is:
But they have recognize that there is no "official" way to remove the warning (not just hide), and do it following best practices, and has send the problem to "development team".
So can you check that on this post?
There is a really good explanation by @Dorine Boudry and Cristiana Umbelino
https://www.outsystems.com/forums/discussion/59321/sort-sql-query-in-reactive-web/#Post248415
Kind regards,
Márcio
Hi Márcio,
I had checked this post before, and talk about some topics that I believe don't resolve entire question. Talk about Building Dynamic SQL Statements the Right Way, that redirect to this other topic, How to enable dynamic sorting in a table fed by a SQL query, that, In addition to making a function with a series of very manual replacements, it does not solve the warning that Outsystems gives (even if it solves the vulnerability itself). In one of the screenshot in the link you could se that warning still appears
Other people here also offer an oml, with the same solution, but, also, the warning is still present.
Is there anyway to, on the one hand, to solve the warning in a correct way, and on the other hand, that Outsystems detects that it has been solved and does not show the warning?
In this case, you can still follow the best practices but the warning will still be there.
The topics/articles you shared demonstrates a nice way of secure parameters with the expand inline!
Attention that the BuildSafe_In is when you want to use the IN clause among a list of data.
So from what I know now on this topic, and is not completely true what I am going to say, is that the warning is nothing to be afraid of, because is there for us to know that maybe it might have a security breach through the input parameter that has the expand inline. So maybe you can hide the warning.
On the other hand, I would still ask the support on Outsystems why that still happen nowadays.
ps: I would want to know how to clean that warning, and why we cannot because I am working and I have worked where that warning is still there....
I believe that the right answer is "there is no way to remove warning, and do it right". I'll ask Outsystems, to try to get an official asnwser.
Hi,
Once try the below code.
If(TableSort = "", "1", EncodeSql(TableSort)) + If (OrderIsAscending , " ASC", " DESC")
Hi Vijay,
I have checked your code, the problem is the same, Outsystems returns another warning
Regards
OutSystems still haven't provided a good official solution to this problem (I don't know why they haven't built sanitization into the AdvancedSQL widget itself). However, there is now a comprehensive how-to guide for the recommendation approach, even though it still doesn't remove the Service Studio warning.
https://success.outsystems.com/documentation/how_to_guides/development/how_to_enable_dynamic_sorting_in_a_table_fed_by_a_sql_query/
Hey Carlos,
If the problem is just with going around the warning you can to the following:
By the way, I tested the solution of passing the TableSort inside BuildSafe_InClauseTextList and then applying the substring to remove both quotes and it works fine as well. Removes the warning and is secure against SQL injection since TableSort passed inside the sanitization action.
Let me know if it solved it for you.
Just stumbled uppon this today while trying to sort a similar warning.
Unfortunatelly this doesn't work anymore since platform version 11.23.1 (at least the ones that use SQL Server) due to a change Outsystems made in BuildSafe_InClauseTextList, it now adds a N' on its output, so stuff like N'SomeColumn DESC will throw an error when a Advanced SQL is run.
How to resolve it, Bro? Now I get stuck with this.
Unfortunatelly, there's no way to solve the warning. Only the sanitization part can be solved as mentioned by Ross: https://www.outsystems.com/forums/discussion/73908/best-way-to-solve-warning-using-dynamic-orderby-in-avancesql/#Post375680.
The warning can be hidden, and on AI Mentor flagged as False Positive, but this as far as its possible to go with this issue 🤷
@Carlos Bragança
tricking the warning away is in no way making your application safe against injection