On Wed, Dec 06, 2023 at 02:25:39PM -0500, Wietse Venema via Postfix-devel wrote:
> > This is a good point. Honestly, I didn't think about escaping characters
> > because the queries are meant to be in JSON form and taken literally,
For a lookup key to be taken "literally" its metacharacters MUST be
escaped, so that it does not introduce unintended syntax! The data
interpolated via '%s' and '%u' comes from untrusted sources and MUST NOT
be allowed to introduce an (no)SQL-injection attack:
https://xkcd.com/327/
The documentation should clearly state that all %s/%u/%d/%[1-9]
expansions MUST be enclosed in double quotes to ensure valid JSON
string syntax:
- { "anyaddr": "%s" }
- { "domainaddr": "%u@%d" }
- { "2ld": "%2.%1" }
- ...
There is no mechanism for non-string or structured compound inputs to
the Postfix table lookup layer, so the lookup key is always an
unstructured string, containing untrusted data, and will be escaped for
inclusion in a quoted string, but the enclosing quotes MUST be provided
by the Postfix administrator configuring the lookup table.
[ By the way, db_common_expand() assumes that domain names do not
contain escaped "." characters in labels, and just performs a
naïve split on "." rather than parsing a general presentation
form domain, which might be "foo\.bar.example.com", with
"foo.bar" as its logical first label. I expect that's not
a concern. Since non-RFC1123 names are broadly rejected
by Postfix at various layers. ]
> > > (minor) the database config file parser does not expand $name,
> > > ${name} etc. so '$$' is taken literally, not as '$'. I can remove
> > > that text from the mongodb_table file
> >
> > I think in the mongodb_table file, the expansions like $$ are included for
> > query_filter and projection. "query_filter" is expanded in
> > dict_mongodb_lookup
> > (line 411), but projection is not. would be best to expand projection as
> > well
> > (maybe around line 377?)
>
> What code is supposed to pay attention to '$' characters? The Postfix client?
> The MongoC library?
I don't see any code that expands "$$" to just "$". The referenced
db_common_expand() function called near line 411:
https://github.com/wietse-postfix/postfix-dukhovni/blob/c753d0a358fc6e02ca3bf8b25a2598aedea4dfb8/postfix/src/global/db_common.c#L408-L510
does nothing special with '$' characters. If MongoDB expects "$or" as
an operator, then this is verbatim what needs to be in the query.
Has this code been tested? I don't understand how the "$$or" ever
worked:
https://www.mongodb.com/docs/manual/reference/operator/query/or/
--
Viktor.
_______________________________________________
Postfix-devel mailing list -- postfix-devel@postfix.org
To unsubscribe send an email to postfix-devel-le...@postfix.org
