[OpenSIPS-Users] Potential feature request: OpenSIPS security and concept of tainted variables

Gregory Massel greg at switchtel.co.za
Tue May 27 10:15:24 UTC 2025 

Hi all

After listening to Sandro's presentation at OpenSIPS Summit, and further 
to posts I sent on 30 Nov 2023 and 5 Dec 2023 ("Help dropping SQL 
injection attacks"), it struck me that the OpenSIPS script allows for 
unsafe variable references by default.

While extremely powerful, this makes configuration implementations 
susceptible to oversights that result in potential injection 
vulnerabilities.

The Exim project addressed this with the concept of "tainted" variables. 
In essence, by default, it prevents you to passing potentially unsafe 
variables to dangerous functions without first filtering or escapting. 
This may be worth consideration as a security feature in future versions 
of OpenSIPS.

It may also be worth considering escaping certain variables by default 
and aliasing the originals. E.g. Instead of having to explicitly check 
variables as follows:

if ( $fU != $(fU{s.escape.common}) || $tU != $(tU{s.escape.common}) ) {
	xlog ("Rejecting SQL injection attempt received from $socket_in(proto):$si:$sp (Method: $rm; From: $fu; To: $tu; Contact: $ct).");
	send_reply (403,"Forbidden");
	exit;
}
if ( $fU != $(fU{s.escape.user}) || $tU != $(tU{s.escape.user}) ) {
	xlog ("Rejecting request with unusual characters received from $socket_in(proto):$si:$sp (Method: $rm; From: $fu; To: $tu; Contact: $ct).");
	send_reply (403,"Forbidden");
	exit;
}

if ( $(ct.fields(uri){uri.user}) != $(ct.fields(uri){uri.user}{s.escape.common}) ) {
	send_reply (403,"Forbidden");
	exit;
}

There may be something to be said for having variables like $fU, $tU 
escaped by default and adding variables like $unsafe_fU, $unsafe_tU 
contain the original variables. Backwards compatibility could be 
achieved with a core configuration variable to disable this.

Alternatively, as with Exim, if one tries to reference the variables 
within a database function or exec function, regard these variables as 
"tainted" and throw an error if the {s.escape.common} (or similar) isn't 
applied.

Regards

Greg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20250527/b512dc06/attachment.html>

More information about the Users mailing list