mod-security-users

[mod-security-users] normalizeSql transformation

[Marc S. <mar...@ap...>]

Hello,

While working with Breno on the implementation of the sqlHexDecode 
transformation function, I managed to take the time to design a 
normalization function for SQL. Here is what it would do:

 1. Transform 0x...
 2. Merge all redundant spaces (including tabs, CR, LF) to one space
 3. Merge all redundant quotes (single, double & back) to one single quote
 4. Remove all backslashes
 5. Remove space around operators (plus, minus, etc.)
 6. Remove space before & after a quote (not sure about this one)

What do you think about that?
Anything missing?
What about removing space before/after a quote?

Regards

Marc Stern
Security Expert - Head of Security Consulting Division
Approach Belgium - www.approach.be <http://www.approach.be>
LinkedIn <http://www.linkedin.com/in/marcstern>

------------------------------------------------------------------------

This e-mail and any attachment are confidential and intended solely for 
the use of the individual to whom it is addressed. If you are not the 
intended recipient, please contact the sender and delete this message 
and any attachment from your system. Unauthorised publication, use, 
dissemination, forwarding, printing or copying of this e-mail and its 
associated attachments is strictly prohibited.

Re: [mod-security-users] normalizeSql transformation

[Achim H. <web...@si...>]

Hi Marc,

you suggestion is a first step.
IMHO it at least misses comments.
Second -having comments in mind- you need to write a sophisticated
parser for SQL. Example:

	SELECT * FROM tab WHERE col='a/* comment' 
		+  /* real comment \*/ ' continues here' +
		/* but don't
		   get fooled */
		' */' and col LIKE ' */' -- another comment */ it this

such a parser must know about the real SQL syntax (think TSQL, PSQL).

It also misses backtick, which are allowed in SQL syntax.

Hope this helps to get the idea running ...
Achim


Am 21.10.2011 13:55, schrieb Marc Stern:
> Hello,
> 
> While working with Breno on the implementation of the sqlHexDecode 
> transformation function, I managed to take the time to design a 
> normalization function for SQL. Here is what it would do:
> 
>  1. Transform 0x...
>  2. Merge all redundant spaces (including tabs, CR, LF) to one space
>  3. Merge all redundant quotes (single, double & back) to one single quote
>  4. Remove all backslashes
>  5. Remove space around operators (plus, minus, etc.)
>  6. Remove space before & after a quote (not sure about this one)
> 
> What do you think about that?
> Anything missing?
> What about removing space before/after a quote?
> 
> Regards
> 
> Marc Stern

Re: [mod-security-users] normalizeSql transformation

[Marc S. <mar...@ap...>]

Hi Achim,

Backticks are planned.
Comments are obviously still a problem, like with the default 
transformation.

Regards

Marc Stern
Security Expert - Head of Security Consulting Division
Approach Belgium - www.approach.be <http://www.approach.be>
LinkedIn <http://www.linkedin.com/in/marcstern>

------------------------------------------------------------------------

This e-mail and any attachment are confidential and intended solely for 
the use of the individual to whom it is addressed. If you are not the 
intended recipient, please contact the sender and delete this message 
and any attachment from your system. Unauthorised publication, use, 
dissemination, forwarding, printing or copying of this e-mail and its 
associated attachments is strictly prohibited.


On 21/10/2011 14:48, Achim Hoffmann wrote:
> Hi Marc,
>
> you suggestion is a first step.
> IMHO it at least misses comments.
> Second -having comments in mind- you need to write a sophisticated
> parser for SQL. Example:
>
> 	SELECT * FROM tab WHERE col='a/* comment'
> 		+  /* real comment \*/ ' continues here' +
> 		/* but don't
> 		   get fooled */
> 		' */' and col LIKE ' */' -- another comment */ it this
>
> such a parser must know about the real SQL syntax (think TSQL, PSQL).
>
> It also misses backtick, which are allowed in SQL syntax.
>
> Hope this helps to get the idea running ...
> Achim
>
>
> Am 21.10.2011 13:55, schrieb Marc Stern:
>> Hello,
>>
>> While working with Breno on the implementation of the sqlHexDecode
>> transformation function, I managed to take the time to design a
>> normalization function for SQL. Here is what it would do:
>>
>>   1. Transform 0x...
>>   2. Merge all redundant spaces (including tabs, CR, LF) to one space
>>   3. Merge all redundant quotes (single, double&  back) to one single quote
>>   4. Remove all backslashes
>>   5. Remove space around operators (plus, minus, etc.)
>>   6. Remove space before&  after a quote (not sure about this one)
>>
>> What do you think about that?
>> Anything missing?
>> What about removing space before/after a quote?
>>
>> Regards
>>
>> Marc Stern