From e51879c1595a90aa00019eb187157874d83facf8 Mon Sep 17 00:00:00 2001
From: Timo Pollmeier <timo.pollmeier@greenbone.net>
Date: Mon, 26 Jun 2023 16:01:03 +0200
Subject: [PATCH] Fix: Improve SQL quoting in results and host details

When creating new results in make_osp_result and checking for duplicate
results and host details, all strings are SQL quoted.

This fixes various SQL errors like ones when recieving an empty result
severity or a host detail containing a single quote / apostrophe.
---
 src/manage_sql.c | 92 ++++++++++++++++++++++++++++++++++++------------
 1 file changed, 70 insertions(+), 22 deletions(-)

diff --git a/src/manage_sql.c b/src/manage_sql.c
index fe5570496..1aa8391e5 100644
--- a/src/manage_sql.c
+++ b/src/manage_sql.c
@@ -19123,16 +19123,19 @@ make_osp_result (task_t task, const char *host, const char *hostname,
                  const char *port, const char *severity, int qod,
                  const char *path, const char *hash_value)
 {
-  char *nvt_revision = NULL, *quoted_desc, *quoted_nvt, *result_severity;
-  char *quoted_port, *quoted_hostname, *quoted_path, *quoted_hash_value;
+  char *nvt_revision = NULL;
+  gchar *quoted_type, *quoted_desc, *quoted_nvt, *result_severity, *quoted_port;
+  gchar *quoted_host, *quoted_hostname, *quoted_path, *quoted_hash_value;
 
   assert (task);
   assert (type);
 
   quoted_hash_value = sql_quote(hash_value ?: "");
+  quoted_type = sql_quote (type ?: "");
   quoted_desc = sql_quote (description ?: "");
   quoted_nvt = sql_quote (nvt ?: "");
   quoted_port = sql_quote (port ?: "");
+  quoted_host = sql_quote (host ?: "");
   quoted_hostname = sql_quote (hostname ? hostname : "");
   quoted_path = sql_quote (path ? path : "");
 
@@ -19171,14 +19174,17 @@ make_osp_result (task_t task, const char *host, const char *hostname,
        "         '%s', '%s', '%s', %d, '', '%s',"
        "         '%s', make_uuid (),"
        "         (SELECT id FROM result_nvts WHERE nvt = '%s'), '%s');",
-       task, host ?: "", quoted_hostname, quoted_port, quoted_nvt,
+       task, quoted_host, quoted_hostname, quoted_port, quoted_nvt,
        nvt_revision ?: "", result_severity ?: "0",
-       type, qod, quoted_desc, quoted_path, quoted_nvt, quoted_hash_value);
+       quoted_type, qod, quoted_desc, quoted_path, quoted_nvt,
+       quoted_hash_value);
   g_free (result_severity);
   g_free (nvt_revision);
+  g_free (quoted_type);
   g_free (quoted_desc);
   g_free (quoted_nvt);
   g_free (quoted_port);
+  g_free (quoted_host);
   g_free (quoted_hostname);
   g_free (quoted_path);
   g_free (quoted_hash_value);
@@ -29028,39 +29034,71 @@ check_osp_result_exists (report_t report, task_t task,
                "  WHERE report = %llu and hash_value = '%s');",
                report, *entity_hash_value))
     {
-      const char *type, *severity, *host, *hostname, *port;
-      const char *qod, *path;
-      gchar * desc;
+      const char *desc, *type, *severity, *host;
+      const char *hostname, *port, *qod, *path;
+      gchar *quoted_desc, *quoted_type, *quoted_severity, *quoted_host;
+      gchar *quoted_hostname, *quoted_port, *quoted_qod, *quoted_path;
 
       host = entity_attribute (r_entity, "host");
       hostname = entity_attribute (r_entity, "hostname");
       type = entity_attribute (r_entity, "type");
-      desc = sql_quote (entity_text (r_entity));
-      port = entity_attribute (r_entity, "port") ?: "";
+      desc = entity_text (r_entity);
+      port = entity_attribute (r_entity, "port");
       severity = entity_attribute (r_entity, "severity");
-      qod = entity_attribute (r_entity, "qod") ?: "";
-      path = entity_attribute (r_entity, "uri") ?: "";
+      qod = entity_attribute (r_entity, "qod");
+      path = entity_attribute (r_entity, "uri");
+
+      if (!severity || !strcmp (severity, ""))
+        {
+          if (!strcmp (type, severity_to_type (SEVERITY_ERROR)))
+            quoted_severity = g_strdup (G_STRINGIFY (SEVERITY_ERROR));
+          else
+            {
+              g_debug ("%s: Result without severity", __func__);
+              return 0;
+            }
+        }
+      else
+        {
+          quoted_severity = sql_quote (severity);
+        }
+
+      quoted_host = sql_quote (host ?: "");
+      quoted_hostname = sql_quote (hostname ?: "");
+      quoted_type = sql_quote (type ?: "");
+      quoted_desc = sql_quote (desc ?: "");
+      quoted_port = sql_quote (port ?: "");
+      quoted_qod = sql_quote (qod ?: "");
+      quoted_path = sql_quote (path ?: "");
 
       if (sql_int ("SELECT EXISTS"
                    " (SELECT * FROM results"
                    "   WHERE report = %llu and hash_value = '%s'"
                    "    and host = '%s' and hostname = '%s'"
                    "    and type = '%s' and description = '%s'"
-                   "    and port = '%s' and severity = %s"
-                   "    and qod = %s and path = '%s'"
+                   "    and port = '%s' and severity = '%s'"
+                   "    and qod = '%s' and path = '%s'"
                    " );",
                    report, *entity_hash_value,
-                   host, hostname,
-		   type, desc,
-                   port, severity,
-		   qod, path))
+                   quoted_host, quoted_hostname,
+                   quoted_type, quoted_desc,
+                   quoted_port, quoted_severity,
+                   quoted_qod, quoted_path))
         {
           g_info ("Captured duplicate result, report: %llu hash_value: %s",
                    report, *entity_hash_value);
           g_debug ("Entity string: %s", entity_string->str);
           return_value = 1;
         }
-      g_free (desc);
+
+      g_free (quoted_host);
+      g_free (quoted_hostname);
+      g_free (quoted_type);
+      g_free (quoted_desc);
+      g_free (quoted_port);
+      g_free (quoted_qod);
+      g_free (quoted_path);
+      g_free (quoted_severity);
   }
   g_string_free(entity_string, TRUE);
   return return_value;
@@ -29100,24 +29138,34 @@ check_host_detail_exists (report_t report, const char *host, const char *s_type,
                "  WHERE report_host = %llu and hash_value = '%s');",
                report_host, *detail_hash_value))
     {
-      gchar *quoted_s_desc = sql_quote ((gchar*) s_desc);
+      gchar *quoted_host = sql_quote (host);
+      gchar *quoted_s_type = sql_quote (s_type);
+      gchar *quoted_s_name = sql_quote (s_name);
+      gchar *quoted_s_desc = sql_quote (s_desc);
+      gchar *quoted_name = sql_quote (name);
+      gchar *quoted_value = sql_quote (value);
 
       if (sql_int ("SELECT EXISTS"
                    " (SELECT * FROM report_host_details"
                    "   WHERE report_host = %llu and hash_value = '%s'"
-		   "   and source_type = '%s' and source_name = '%s'"
+                   "   and source_type = '%s' and source_name = '%s'"
                    "   and source_description = '%s'"
                    "   and  name = '%s' and value = '%s'"
                    " );",
-                   report_host, *detail_hash_value,  s_type, s_name,
-                   quoted_s_desc, name, value))
+                   report_host, *detail_hash_value, quoted_s_type,
+                   quoted_s_name, quoted_s_desc, quoted_name, quoted_value))
         {
           g_info ("Captured duplicate report host detail, report: %llu hash_value: %s",
                       report, *detail_hash_value);
           g_debug ("Hash string: %s", hash_string);
           return_value = 1;
         }
+      g_free (quoted_host);
+      g_free (quoted_s_type);
+      g_free (quoted_s_name);
       g_free (quoted_s_desc);
+      g_free (quoted_name);
+      g_free (quoted_value);
     }
   g_free (hash_string);
   return return_value;