prevent sql injection

Author: yamaceay

Makefile

@@ -57,7 +57,7 @@ test-e2e: $(KIND) $(HELM3) build
 	@$(INFO) running e2e tests
 	@echo E2E_IMAGES=$$E2E_IMAGES
 	# echo E2E_IMAGES=$$E2E_IMAGES > e2e.env
-	HANA_BINDINGS=$$HANA_BINDINGS go test $(PROJECT_REPO)/test/... -tags=e2e -test.v  -count=1
+	source test/e2e/secrets/secrets.env && HANA_BINDINGS=$$HANA_BINDINGS go test $(PROJECT_REPO)/test/... -tags=e2e -test.v  -count=1
 	@$(OK) e2e tests passed
 
 # Update the submodules, such as the common build scripts.

apis/admin/v1alpha1/auditpolicy_types.go

@@ -17,12 +17,16 @@ import (
 type AuditPolicyParameters struct {
 	PolicyName string `json:"policyName"`
 
+	// +kubebuilder:validation:items:Pattern:=`^[^",\$\.'\+\-<>|\[\]\{\}\(\)!%*,/:;=\?@\\^~\x60]+$`
+	// +listType=set
 	AuditActions []string `json:"auditActions"`
 
 	// +kubebuilder:default:=ALL
+	// +kubebuilder:validation:Enum:=SUCCESSFUL;UNSUCCESSFUL;ALL
 	AuditStatus string `json:"auditStatus,omitempty"`
 
 	// +kubebuilder:default:=CRITICAL
+	// +kubebuilder:validation:Enum:=EMERGENCY;ALERT;CRITICAL;WARNING;INFO
 	AuditLevel string `json:"auditLevel,omitempty"`
 
 	// +kubebuilder:default:=7

apis/admin/v1alpha1/role_types.go

@@ -17,16 +17,16 @@ import (
 type RoleParameters struct {
 	// +kubebuilder:validation:Optional
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
-	// +kubebuilder:validation:Pattern:=`^[^",\$\.'\+\-<>|\[\]\{\}\(\)!%*,/:;=\?@\\^~\x60a-z]+$`
 	RoleName string `json:"roleName"`
 
 	// +kubebuilder:validation:Optional
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
-	// +kubebuilder:validation:Pattern:=`^[^",\$\.'\+\-<>|\[\]\{\}\(\)!%*,/:;=\?@\\^~\x60a-z]+$`
 	Schema string `json:"schema,omitempty"`
 
+	// +listType=set
 	LdapGroups []string `json:"ldapGroups,omitempty"`
 
+	// +listType=set
 	Privileges []string `json:"privileges,omitempty"`
 
 	// +kubebuilder:validation:Optional

apis/admin/v1alpha1/user_types.go

@@ -29,7 +29,7 @@ type Password struct {
 type UserParameters struct {
 	// +kubebuilder:validation:Optional
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
-	// +kubebuilder:validation:Pattern:=`^[^",\$\.'\+\-<>|\[\]\{\}\(\)!%*,/:;=\?@\\^~\x60a-z]+$`
+	// +kubebuilder:validation:Pattern:=`^[^",\$\.'\+\-<>|\[\]\{\}\(\)!%*,/:;=\?@\\^~\x60]+$`
 	Username string `json:"username"`
 
 	// +kubebuilder:validation:Optional
@@ -49,7 +49,7 @@ type UserParameters struct {
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
 	Parameters map[string]string `json:"parameters,omitempty"`
 
-	// +kubebuilder:validation:Pattern:=`^[^",\$\.'\+\-<>|\[\]\{\}\(\)!%*,/:;=\?@\\^~\x60a-z]+$`
+	// +kubebuilder:validation:Pattern:=`^[^",\$\.'\+\-<>|\[\]\{\}\(\)!%*,/:;=\?@\\^~\x60]+$`
 	// +kubebuilder:default:=DEFAULT
 	Usergroup string `json:"usergroup,omitempty" default:"DEFAULT"`
 

apis/admin/v1alpha1/usergroup_types.go

@@ -16,7 +16,6 @@ import (
 type UsergroupParameters struct {
 	// +kubebuilder:validation:Optional
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
-	// +kubebuilder:validation:Pattern:=`^[^",\$\.'\+\-<>|\[\]\{\}\(\)!%*,/:;=\?@\\^~\x60a-z]+$`
 	UsergroupName string `json:"usergroupName"`
 
 	DisableUserAdmin bool `json:"disableUserAdmin,omitempty"`
@@ -29,6 +28,7 @@ type UsergroupParameters struct {
 
 	// +kubebuilder:validation:Optional
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
+	// +kubebuilder:validation:Enum:="";password policy
 	EnableParameterSet string `json:"enableParameterSet,omitempty"`
 }
 

apis/schema/v1alpha1/dbschema_types.go

@@ -17,10 +17,9 @@ import (
 type DbSchemaParameters struct {
 	// +kubebuilder:validation:Optional
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
-	// +kubebuilder:validation:Pattern:=`^[^",\$\.'\+\-<>|\[\]\{\}\(\)!%*,/:;=\?@\\^~\x60a-z]+$`
 	SchemaName string `json:"schemaName"`
 
-	// +kubebuilder:validation:Pattern:=`^[^",\$\.'\+\-<>|\[\]\{\}\(\)!%*,/:;=\?@\\^~\x60a-z]+$`
+	// +kubebuilder:validation:Pattern:=`^[^",\$\.'\+\-<>|\[\]\{\}\(\)!%*,/:;=\?@\\^~\x60]+$`
 	Owner string `json:"owner,omitempty"`
 }
 

internal/clients/hana/dbschema/dbschema_client.go

@@ -7,6 +7,7 @@ import (
 	"github.com/SAP/crossplane-provider-hana/apis/schema/v1alpha1"
 	"github.com/SAP/crossplane-provider-hana/internal/clients/hana"
 	"github.com/SAP/crossplane-provider-hana/internal/clients/xsql"
+	"github.com/SAP/crossplane-provider-hana/internal/utils"
 )
 
 // DbSchemaClient defines the interface for dbschema client operations
@@ -43,7 +44,7 @@ func (c Client) Read(ctx context.Context, parameters *v1alpha1.DbSchemaParameter
 // Create a new schema
 func (c Client) Create(ctx context.Context, parameters *v1alpha1.DbSchemaParameters) error {
 
-	query := fmt.Sprintf("CREATE SCHEMA %s", parameters.SchemaName)
+	query := fmt.Sprintf(`CREATE SCHEMA "%s"`, utils.EscapeDoubleQuotes(parameters.SchemaName))
 
 	if parameters.Owner != "" {
 		query += fmt.Sprintf(" OWNED BY %s", parameters.Owner)
@@ -57,7 +58,7 @@ func (c Client) Create(ctx context.Context, parameters *v1alpha1.DbSchemaParamet
 // Delete an existing schema
 func (c Client) Delete(ctx context.Context, parameters *v1alpha1.DbSchemaParameters) error {
 
-	query := fmt.Sprintf("DROP SCHEMA %s", parameters.SchemaName)
+	query := fmt.Sprintf(`DROP SCHEMA "%s"`, utils.EscapeDoubleQuotes(parameters.SchemaName))
 
 	_, err := c.ExecContext(ctx, query)
 

internal/clients/hana/role/role_client.go

@@ -10,6 +10,7 @@ import (
 	"github.com/SAP/crossplane-provider-hana/internal/clients/hana"
 	"github.com/SAP/crossplane-provider-hana/internal/clients/hana/privilege"
 	"github.com/SAP/crossplane-provider-hana/internal/clients/xsql"
+	"github.com/SAP/crossplane-provider-hana/internal/utils"
 )
 
 // RoleClient defines the interface for role client operations
@@ -92,12 +93,12 @@ func observeLdapGroups(ctx context.Context, db xsql.DB, roleName string) (ldapGr
 // Create creates a new role in the db
 func (c Client) Create(ctx context.Context, parameters *v1alpha1.RoleParameters) error {
 
-	query := fmt.Sprintf("CREATE ROLE %s", getRoleName(parameters.Schema, parameters.RoleName))
+	query := fmt.Sprintf(`CREATE ROLE %s`, getRoleName(parameters.Schema, parameters.RoleName))
 
 	if len(parameters.LdapGroups) > 0 {
 		query += " LDAP GROUP"
 		for _, ldapGroup := range parameters.LdapGroups {
-			query += fmt.Sprintf(" '%s',", ldapGroup)
+			query += fmt.Sprintf(" '%s',", utils.EscapeSingleQuotes(ldapGroup))
 		}
 		query = strings.TrimSuffix(query, ",")
 	}
@@ -124,24 +125,24 @@ func (c Client) Create(ctx context.Context, parameters *v1alpha1.RoleParameters)
 func (c Client) UpdateLdapGroups(ctx context.Context, parameters *v1alpha1.RoleParameters, groupsToAdd, groupsToRemove []string) error {
 
 	if len(groupsToAdd) > 0 {
-		query := fmt.Sprintf("ALTER ROLE %s ADD LDAP GROUP", getRoleName(parameters.Schema, parameters.RoleName))
+		query := fmt.Sprintf(`ALTER ROLE %s ADD LDAP GROUP`, getRoleName(parameters.Schema, parameters.RoleName))
 		for _, ldapGroup := range groupsToAdd {
-			query += fmt.Sprintf(" '%s',", ldapGroup)
+			query += fmt.Sprintf(" '%s',", utils.EscapeSingleQuotes(ldapGroup))
 		}
 		query = strings.TrimSuffix(query, ",")
 		if _, err := c.ExecContext(ctx, query); err != nil {
-			return fmt.Errorf("failed to add ldap groups: %w", err)
+			return err
 		}
 	}
 
 	if len(groupsToRemove) > 0 {
 		query := fmt.Sprintf("ALTER ROLE %s DROP LDAP GROUP", getRoleName(parameters.Schema, parameters.RoleName))
 		for _, ldapGroup := range groupsToRemove {
-			query += fmt.Sprintf(" '%s',", ldapGroup)
+			query += fmt.Sprintf(" '%s',", utils.EscapeSingleQuotes(ldapGroup))
 		}
 		query = strings.TrimSuffix(query, ",")
 		if _, err := c.ExecContext(ctx, query); err != nil {
-			return fmt.Errorf("failed to remove ldap groups: %w", err)
+			return err
 		}
 	}
 
@@ -185,8 +186,10 @@ func (c Client) Delete(ctx context.Context, parameters *v1alpha1.RoleParameters)
 }
 
 func getRoleName(schemaName, roleName string) string {
+	roleNameEscaped := fmt.Sprintf(`"%s"`, utils.EscapeDoubleQuotes(roleName))
 	if schemaName != "" {
-		return fmt.Sprintf("%s.%s", schemaName, roleName)
+		schemaNameEscaped := fmt.Sprintf(`"%s"`, utils.EscapeDoubleQuotes(schemaName))
+		return fmt.Sprintf("%s.%s", schemaNameEscaped, roleNameEscaped)
 	}
-	return roleName
+	return roleNameEscaped
 }

internal/clients/hana/user/user_client.go

@@ -15,6 +15,7 @@ import (
 	"github.com/SAP/crossplane-provider-hana/apis/admin/v1alpha1"
 	"github.com/SAP/crossplane-provider-hana/internal/clients/hana/privilege"
 	"github.com/SAP/crossplane-provider-hana/internal/clients/xsql"
+	"github.com/SAP/crossplane-provider-hana/internal/utils"
 )
 
 // Error types for user authentication issues
@@ -296,9 +297,9 @@ func (c Client) Create(ctx context.Context, parameters *v1alpha1.UserParameters,
 func setParameters(query string, parameters map[string]string) string {
 	newParams := make([]string, 0, len(parameters))
 	for key, value := range parameters {
-		key = strings.ToUpper(key)
-		if slices.Contains(validParams, key) {
-			newParams = append(newParams, fmt.Sprintf("%s = '%s'", key, value))
+		upperKey := strings.ToUpper(key)
+		if slices.Contains(validParams, upperKey) {
+			newParams = append(newParams, fmt.Sprintf("%s = '%s'", upperKey, utils.EscapeSingleQuotes(value)))
 		}
 	}
 	if len(newParams) == 0 {

internal/clients/hana/usergroup/usergroup_client.go

@@ -8,6 +8,7 @@ import (
 	"github.com/SAP/crossplane-provider-hana/apis/admin/v1alpha1"
 	"github.com/SAP/crossplane-provider-hana/internal/clients/hana"
 	"github.com/SAP/crossplane-provider-hana/internal/clients/xsql"
+	"github.com/SAP/crossplane-provider-hana/internal/utils"
 )
 
 // UsergroupClient defines the interface for usergroup client operations
@@ -70,7 +71,7 @@ func (c Client) Read(ctx context.Context, parameters *v1alpha1.UsergroupParamete
 // Create creates a usergroup
 func (c Client) Create(ctx context.Context, parameters *v1alpha1.UsergroupParameters) error {
 
-	query := fmt.Sprintf("CREATE USERGROUP %s", parameters.UsergroupName)
+	query := fmt.Sprintf(`CREATE USERGROUP "%s"`, utils.EscapeDoubleQuotes(parameters.UsergroupName))
 
 	if parameters.DisableUserAdmin {
 		query += " DISABLE USER ADMIN"
@@ -83,7 +84,7 @@ func (c Client) Create(ctx context.Context, parameters *v1alpha1.UsergroupParame
 	if len(parameters.Parameters) > 0 {
 		query += " SET PARAMETER"
 		for key, value := range parameters.Parameters {
-			query += fmt.Sprintf(" '%s' = '%s',", key, value)
+			query += fmt.Sprintf(" '%s' = '%s',", utils.EscapeSingleQuotes(key), utils.EscapeSingleQuotes(value))
 		}
 		query = strings.TrimSuffix(query, ",")
 	}
@@ -102,7 +103,7 @@ func (c Client) Create(ctx context.Context, parameters *v1alpha1.UsergroupParame
 // UpdateDisableUserAdmin updates the disableUserAdmin property of the usergroup
 func (c Client) UpdateDisableUserAdmin(ctx context.Context, parameters *v1alpha1.UsergroupParameters) error {
 
-	query := fmt.Sprintf("ALTER USERGROUP %s", parameters.UsergroupName)
+	query := fmt.Sprintf(`ALTER USERGROUP "%s"`, utils.EscapeDoubleQuotes(parameters.UsergroupName))
 
 	if parameters.DisableUserAdmin {
 		query += " DISABLE USER ADMIN"
@@ -120,7 +121,7 @@ func (c Client) UpdateDisableUserAdmin(ctx context.Context, parameters *v1alpha1
 // UpdateParameters updates the parameters of the usergroup
 func (c Client) UpdateParameters(ctx context.Context, parameters *v1alpha1.UsergroupParameters, changedParameters map[string]string) error {
 
-	query := fmt.Sprintf("ALTER USERGROUP %s", parameters.UsergroupName)
+	query := fmt.Sprintf(`ALTER USERGROUP "%s"`, utils.EscapeDoubleQuotes(parameters.UsergroupName))
 	query += " SET PARAMETER"
 	for key, value := range changedParameters {
 		query += fmt.Sprintf(" '%s' = '%s',", key, value)
@@ -136,7 +137,7 @@ func (c Client) UpdateParameters(ctx context.Context, parameters *v1alpha1.Userg
 // Delete deletes the usergroup
 func (c Client) Delete(ctx context.Context, parameters *v1alpha1.UsergroupParameters) error {
 
-	query := fmt.Sprintf("DROP USERGROUP %s", parameters.UsergroupName)
+	query := fmt.Sprintf(`DROP USERGROUP "%s"`, utils.EscapeDoubleQuotes(parameters.UsergroupName))
 
 	if _, err := c.ExecContext(ctx, query); err != nil {
 		return err