tags:

views:

48

answers:

3
+3  Q: 

Enforce query restrictions

I'm building my own clone of http://statoverflow.com/sandbox (using the free controls provided to 10K users from Telerik). I have a proof of concept available I can use locally, but before I open it up to others I need to lock it down some more. Currently I run everything through a stored procedure that looks something like this:

CREATE PROCEDURE WebQuery 
    @QueryText nvarchar(1000)
AS
BEGIN
    -- no writes, so no need to lock on select
    SET TRANSACTION ISOLATION LEVEL READ UNCOMMITTED 

    -- throttles
    SET ROWCOUNT 500 
    SET QUERY_GOVERNOR_COST_LIMIT 500

    exec (@QueryText)

END

I need to do two things yet:

  1. Replace QUERY_GOVERNOR_COST_LIMIT with an actual rather than estimated timeout, so no query runs longer than say 2 minutes.
  2. Right now nothing stops users from just putting their own 'SET ROWCOUNT 50000;' in front of their query text to override my restriction, so I need to somehow limit the queries to a single statement or (preferrably) disallow the SET commands inside the exec function.

Any ideas?

A: 

On a very basic level, how about blocking any statement that doesn't start with SELECT? Or will other query starts be supported, like CTE's or DECLARE statements? 1000 chars isn't too much room to play with, but i'm not too clear what this is in the first place.

UPDATED

Ok, how about prefixing whatever they submit with SELECT TOP 500 FROM (

and appending a ). If they try to do multiple statements it'll throw an error you can catch. And to prevent denial of service, replace their starting SELECT with another SELECT TOP 500.

Doesn't help if they've appended an ORDER BY to something returning a million rows, though.

CodeByMoonlight  2009-09-18 02:55:37
It's a good thought, but you could just query `'select 1;set rowcount 50000;select * from posts;'`
Joel Coehoorn  2009-09-18 03:01:53
I knew it was too simple to work *doh*
CodeByMoonlight  2009-09-18 03:09:13
It does sort of work- the page as is would only show the '1' result set and not the large result set, but it would still allow people to create a denial of service situation.
Joel Coehoorn  2009-09-18 03:17:06
Updated to another possibility now
CodeByMoonlight  2009-09-18 03:29:05
No good. Then it's just `'SELECT 1) t; SELECT * FROM ( <My query> '`
Joel Coehoorn  2009-09-18 13:13:04
Then some additional parsing :1) check for apostrophe positions. Characters or words identified thus as in a string are ok (i hope). Outside those, check for your danger words and symbols like ; or SET. Remove any carriage returns from the input and replace them with spaces to negate the possibility of -- commenting out half a line
CodeByMoonlight  2009-09-18 14:05:38
2) outside the 'safe' strings, check the counts of apostrophes and position. If the number of ( and ) is different, or at any point reading left-to-right there are more ) than (, the query is invalid.
CodeByMoonlight  2009-09-18 14:10:55
I'm sure i can come up with more.
CodeByMoonlight  2009-09-18 14:12:15
A: 

Throwing this out there:

The EXEC statement appears to support impersonation. See http://msdn.microsoft.com/en-us/library/ms188332.aspx. Perhaps you can impersonate a limited user. I am looking into the availability of limitations that may prevent SET statements and the like.

David Andres  2009-09-18 02:59:06
+3  A: 

You really plan to allow users to run arbitrary Ad-Hoc SQL? Only then can a user place in a SET to override your restrictions. If that's the case, you're best bet is to do some basic parsing using lexx/yacc or flex/bison (or your favorite CLR language tree parser) and detect invalid SET statements. Are you going to allow SET @variable=value though, which syntactically is a SET...

If you impersonate low privileged users via EXECUTE AS make sure you create an irreversible impersonation context, so the user does not simply execute REVERT and regain all the privileges :) You also must really understand the implications of database impersonation, make sure you read Extending Database Impersonation by Using EXECUTE AS.

Another thing to consider is deffering execution of requests to a queue. Since queue readers can be calibrated via MAX_QUEUE_READERS, you get a very cheap throttling. See Asynchronous procedure execution for a related article how to use queues to execute batches. This mechanism is different from resource governance, but I've seen it used to more effect that the governor itself.

Remus Rusanu  2009-09-18 03:33:44

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?