<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p>Thank you Bogdan!</p>
    <p>It's worth noting that, if using {s.escape.user}, it won't detect
      a SQL injection, however, it may detect other potentially
      problematic characters, so one then has to apply both checks
      individually, e.g.</p>
    <pre>if ( $fU != $(fU{s.escape.common}) || $tU != $(tU{s.escape.common}) ) {
        xlog ("Rejecting SQL injection attempt received from $socket_in(proto):$si:$sp (Method: $rm; From: $fu; To: $tu; Contact: $ct).");
        send_reply (403,"Forbidden");
        exit;
}
if ( $fU != $(fU{s.escape.user}) || $tU != $(tU{s.escape.user}) ) {
        xlog ("Rejecting request with unusual characters received from $socket_in(proto):$si:$sp (Method: $rm; From: $fu; To: $tu; Contact: $ct).");
        send_reply (403,"Forbidden");
        exit;
}</pre>
    <p>So above doesn't block UTF-8; it just enforces that it must be
      received from the client in fully escaped form.</p>
    <p>I'm gathering that UTF-8 is actually acceptable for the user part
      (and most other parts) of the URI, provided that it's encoded with
      '%'? I work with purely ASCII user parts however, out of interest,
      was wondering if it is allowable and/or commonplace to use Unicode
      extended character sets for any portions of the URI in parts of
      the world where other character sets are more frequently used?
      From what I could find, it seems that UTF16 is not allowed in the
      User Part and that the domain would be internationalised using
      Punycode, so the full URI should always be encoded in ASCII but
      with UTF-8 (but not UTF-16) permitted in %-encoded form for the
      user part?</p>
    <p>With respect to the Contact header, I'm struggling a bit. Is the
      syntax below correct?<br>
    </p>
    <pre>if ( $(ct.fields(uri){uri.user}) != $(ct.fields(uri){uri.user}{s.escape.common}) ) {
        send_reply (403,"Forbidden");
        exit;
}
</pre>
    <div class="moz-cite-prefix">-- <br>
      <span style="font-size:11.0pt;font-family:Assistant;color:black">Thanks<br>
      </span> <span
        style="font-size:11pt;font-family:Assistant;color:#44546A"> <b>Gregory
          Massel</b><br>
      </span> <span
        style="font-size:11.0pt;font-family:Assistant;color:#32444B"> </span></div>
    <div class="moz-cite-prefix"><span
        style="font-size:11.0pt;font-family:Assistant;color:#32444B"><br>
      </span></div>
    <div class="moz-cite-prefix">On 2023-12-05 11:33, Bogdan-Andrei
      Iancu wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:7721d776-dcf5-4271-ae48-ef565b4e5569@opensips.org">
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
      <font face="monospace">Hi Gregory,<br>
        <br>
        As it is said, there is no single way to skin the cat :). Your
        approach is a valid one, by using the escaping transformation.
        Maybe you should check the s.escape.user [1]. <br>
        <br>
        Such checks make sense when using avp_db_query(), so raw
        queries. The internal queries (like auth, etc) are done via
        prepared statements, so safe to injections.<br>
        <br>
        [1] <a class="moz-txt-link-freetext"
href="https://www.opensips.org/Documentation/Script-Tran-3-2#s.escape.user"
          moz-do-not-send="true">https://www.opensips.org/Documentation/Script-Tran-3-2#s.escape.user</a><br>
        <br>
        Regards,<br>
      </font>
      <pre class="moz-signature" cols="72">Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
  <a class="moz-txt-link-freetext"
      href="https://www.opensips-solutions.com" moz-do-not-send="true">https://www.opensips-solutions.com</a>
  <a class="moz-txt-link-freetext" href="https://www.siphub.com"
      moz-do-not-send="true">https://www.siphub.com</a></pre>
      <div class="moz-cite-prefix">On 30.11.2023 02:34, Gregory Massel
        via Users wrote:<br>
      </div>
      <blockquote type="cite"
        cite="mid:d762af95-cf4a-4015-9a9c-1ce42d2cd0dc@switchtel.co.za">
        <meta http-equiv="content-type"
          content="text/html; charset=UTF-8">
        <p>Hi all</p>
        <p>I'm wondering what the best practice is in terms of detection
          and dropping attempted SQL injection attacks?</p>
        <p>Is something like the following adequate or can this be
          enhanced:</p>
        <pre>if ( $fU != $(fU{s.escape.common}) || $tU != $(tU{s.escape.common}) ) {
        drop();
}

</pre>
        <div class="moz-signature">Obviously this does not remove the
          need to escape anything passed to avp_db_query(), however,
          what I want to do is identify these sorts of attacks at the
          top of the script and avoid processing.</div>
        <div class="moz-signature"><br>
        </div>
        <div class="moz-signature">To date all the attacks I've seen
          focus on the contact and from user, e.g.:</div>
        <div class="moz-signature">
          <pre>INVITE <a class="moz-txt-link-freetext"
          href="sip:00111390237920793@x.x.x.x:5060;transport=UDP"
          moz-do-not-send="true">sip:00111390237920793@x.x.x.x:5060;transport=UDP</a> SIP/2.0
Contact: <a class="moz-txt-link-rfc2396E"
          href="sip:a'or'3=3--@x.x.x.x:5060;transport=UDP"
          moz-do-not-send="true"><sip:a'or'3=3--@x.x.x.x:5060;transport=UDP></a>
To: <a class="moz-txt-link-rfc2396E"
          href="sip:00111390237920793@x.x.x.x;transport=UDP"
          moz-do-not-send="true"><sip:00111390237920793@x.x.x.x;transport=UDP></a>
From: <a class="moz-txt-link-rfc2396E"
          href="sip:a'or'3=3--@x.x.x.x;transport=UDP"
          moz-do-not-send="true"><sip:a'or'3=3--@x.x.x.x;transport=UDP></a>;tag=v2pjtxqb</pre>
        </div>
        <div class="moz-signature">I'm not quite sure how to match the
          Contact user. Would the following work?</div>
        <div class="moz-signature">
          <pre>if ( $(ct.fields(uri){uri.user}) != $(ct.fields(uri){uri.user}{s.escape.common}) ) {
        drop();
}
</pre>
        </div>
        <div class="moz-signature">-- <br>
          <span
            style="font-size:11.0pt;font-family:Assistant;color:black">Regards<br>
          </span> <span
            style="font-size:11pt;font-family:Assistant;color:#44546A">
            <b>Gregory Massel</b></span><span
            style="font-size:11.0pt;font-family:Assistant;color:#32444B"><br>
          </span></div>
        <br>
        <fieldset class="moz-mime-attachment-header"></fieldset>
        <pre class="moz-quote-pre" wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated moz-txt-link-freetext"
        href="mailto:Users@lists.opensips.org" moz-do-not-send="true">Users@lists.opensips.org</a>
<a class="moz-txt-link-freetext"
        href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users"
        moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
      </blockquote>
      <br>
    </blockquote>
    <div class="moz-signature"><span
        style="font-size:11.0pt;font-family:Assistant;color:#32444B"><br>
      </span></div>
  </body>
</html>