<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Thank you Bogdan!</p>
<p>It's worth noting that, if using {s.escape.user}, it won't detect
a SQL injection, however, it may detect other potentially
problematic characters, so one then has to apply both checks
individually, e.g.</p>
<pre>if ( $fU != $(fU{s.escape.common}) || $tU != $(tU{s.escape.common}) ) {
xlog ("Rejecting SQL injection attempt received from $socket_in(proto):$si:$sp (Method: $rm; From: $fu; To: $tu; Contact: $ct).");
send_reply (403,"Forbidden");
exit;
}
if ( $fU != $(fU{s.escape.user}) || $tU != $(tU{s.escape.user}) ) {
xlog ("Rejecting request with unusual characters received from $socket_in(proto):$si:$sp (Method: $rm; From: $fu; To: $tu; Contact: $ct).");
send_reply (403,"Forbidden");
exit;
}</pre>
<p>So above doesn't block UTF-8; it just enforces that it must be
received from the client in fully escaped form.</p>
<p>I'm gathering that UTF-8 is actually acceptable for the user part
(and most other parts) of the URI, provided that it's encoded with
'%'? I work with purely ASCII user parts however, out of interest,
was wondering if it is allowable and/or commonplace to use Unicode
extended character sets for any portions of the URI in parts of
the world where other character sets are more frequently used?
From what I could find, it seems that UTF16 is not allowed in the
User Part and that the domain would be internationalised using
Punycode, so the full URI should always be encoded in ASCII but
with UTF-8 (but not UTF-16) permitted in %-encoded form for the
user part?</p>
<p>With respect to the Contact header, I'm struggling a bit. Is the
syntax below correct?<br>
</p>
<pre>if ( $(ct.fields(uri){uri.user}) != $(ct.fields(uri){uri.user}{s.escape.common}) ) {
send_reply (403,"Forbidden");
exit;
}
</pre>
<div class="moz-cite-prefix">-- <br>
<span style="font-size:11.0pt;font-family:Assistant;color:black">Thanks<br>
</span> <span
style="font-size:11pt;font-family:Assistant;color:#44546A"> <b>Gregory
Massel</b><br>
</span> <span
style="font-size:11.0pt;font-family:Assistant;color:#32444B"> </span></div>
<div class="moz-cite-prefix"><span
style="font-size:11.0pt;font-family:Assistant;color:#32444B"><br>
</span></div>
<div class="moz-cite-prefix">On 2023-12-05 11:33, Bogdan-Andrei
Iancu wrote:<br>
</div>
<blockquote type="cite"
cite="mid:7721d776-dcf5-4271-ae48-ef565b4e5569@opensips.org">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<font face="monospace">Hi Gregory,<br>
<br>
As it is said, there is no single way to skin the cat :). Your
approach is a valid one, by using the escaping transformation.
Maybe you should check the s.escape.user [1]. <br>
<br>
Such checks make sense when using avp_db_query(), so raw
queries. The internal queries (like auth, etc) are done via
prepared statements, so safe to injections.<br>
<br>
[1] <a class="moz-txt-link-freetext"
href="https://www.opensips.org/Documentation/Script-Tran-3-2#s.escape.user"
moz-do-not-send="true">https://www.opensips.org/Documentation/Script-Tran-3-2#s.escape.user</a><br>
<br>
Regards,<br>
</font>
<pre class="moz-signature" cols="72">Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
<a class="moz-txt-link-freetext"
href="https://www.opensips-solutions.com" moz-do-not-send="true">https://www.opensips-solutions.com</a>
<a class="moz-txt-link-freetext" href="https://www.siphub.com"
moz-do-not-send="true">https://www.siphub.com</a></pre>
<div class="moz-cite-prefix">On 30.11.2023 02:34, Gregory Massel
via Users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:d762af95-cf4a-4015-9a9c-1ce42d2cd0dc@switchtel.co.za">
<meta http-equiv="content-type"
content="text/html; charset=UTF-8">
<p>Hi all</p>
<p>I'm wondering what the best practice is in terms of detection
and dropping attempted SQL injection attacks?</p>
<p>Is something like the following adequate or can this be
enhanced:</p>
<pre>if ( $fU != $(fU{s.escape.common}) || $tU != $(tU{s.escape.common}) ) {
drop();
}
</pre>
<div class="moz-signature">Obviously this does not remove the
need to escape anything passed to avp_db_query(), however,
what I want to do is identify these sorts of attacks at the
top of the script and avoid processing.</div>
<div class="moz-signature"><br>
</div>
<div class="moz-signature">To date all the attacks I've seen
focus on the contact and from user, e.g.:</div>
<div class="moz-signature">
<pre>INVITE <a class="moz-txt-link-freetext"
href="sip:00111390237920793@x.x.x.x:5060;transport=UDP"
moz-do-not-send="true">sip:00111390237920793@x.x.x.x:5060;transport=UDP</a> SIP/2.0
Contact: <a class="moz-txt-link-rfc2396E"
href="sip:a'or'3=3--@x.x.x.x:5060;transport=UDP"
moz-do-not-send="true"><sip:a'or'3=3--@x.x.x.x:5060;transport=UDP></a>
To: <a class="moz-txt-link-rfc2396E"
href="sip:00111390237920793@x.x.x.x;transport=UDP"
moz-do-not-send="true"><sip:00111390237920793@x.x.x.x;transport=UDP></a>
From: <a class="moz-txt-link-rfc2396E"
href="sip:a'or'3=3--@x.x.x.x;transport=UDP"
moz-do-not-send="true"><sip:a'or'3=3--@x.x.x.x;transport=UDP></a>;tag=v2pjtxqb</pre>
</div>
<div class="moz-signature">I'm not quite sure how to match the
Contact user. Would the following work?</div>
<div class="moz-signature">
<pre>if ( $(ct.fields(uri){uri.user}) != $(ct.fields(uri){uri.user}{s.escape.common}) ) {
drop();
}
</pre>
</div>
<div class="moz-signature">-- <br>
<span
style="font-size:11.0pt;font-family:Assistant;color:black">Regards<br>
</span> <span
style="font-size:11pt;font-family:Assistant;color:#44546A">
<b>Gregory Massel</b></span><span
style="font-size:11.0pt;font-family:Assistant;color:#32444B"><br>
</span></div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated moz-txt-link-freetext"
href="mailto:Users@lists.opensips.org" moz-do-not-send="true">Users@lists.opensips.org</a>
<a class="moz-txt-link-freetext"
href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users"
moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<br>
</blockquote>
<div class="moz-signature"><span
style="font-size:11.0pt;font-family:Assistant;color:#32444B"><br>
</span></div>
</body>
</html>