11 Replies Latest reply: Nov 4, 2013 6:49 AM by Recx Ltd RSS

    Good practices for application processes

    mnoscars

      Hello all,

       

      I have to run an application process on demand (from Javascript code).

       

      To achieve this, I pass the process parameters using applications items. (I mean that I set the application items using Javascript).

       

      In order to make it work, I have to change the Session State Protection to "Unrestricted".

       

      Is it the right way to do this regarding security good practices or is there a better way?

       

      Thank you.

       

      Max

        • 1. Re: Good practices for application processes
          Recx Ltd

          Nothing wrong with that, but I would save the application items and use the apex_application.g_x01 through apex_application.g_x10


          var get = new htmldb_Get(null,null,'APPLICATION_PROCESS=StoreCoord',null);

          get.addParam('x01', value);

          get.addParam('x02', value2);

           

          and used in the application process thus;

           

          SELECT .....

          WHERE column = apex_application.g_x01 AND column2 = apex_application.g_x02

           

          You can of course set application items as you stated too, but just for passing temporary variables without setting state the above will suffice.

           

          The nature of application processes means you are willing to accept any data from the user and you should take care when using the values in an unsafe manner.

           

          regards,

          • 2. Re: Good practices for application processes
            mnoscars

            Hello,

             

            Thank you very much for your fast answer.

             

            I have already seen that syntax but I was not sure what was the best.

             

            About the security part, I use the application processes to do javascript treatments on previously user selected data. But the user cannot type anything (just select data he has privileges on).

             

            So is there any chance that a user can change the value of an application item using my solution and executed treatments on unwanted data (I guess he could hardcode the value in the URL, right?)

             

            What about your solution? Any chance to set an unwanted value to x01, x02... ?

             

            Thank you.

             

            Max

            • 3. Re: Good practices for application processes
              Recx Ltd

              Yes any unprotected item or the apex_application.g_x variable can be set to an unwanted value. You should treat them as user-input.


              I don't understand what 'javascript treatments' mean. For security any JavaScript can be changed, re-run, ignored by a user. Any unprotected APEX item can be changed to any value using the Javascript Console in most browsers like so;


              $s('<apex item on page>', '<value>');

              apex.submit();


              The developer must make sure these types of items are safe from a security standpoint.


              regards,

              • 4. Re: Good practices for application processes
                mnoscars

                RecxLtd a écrit:


                I don't understand what 'javascript treatments' mean. For security any JavaScript can be changed, re-run, ignored by a user. Any unprotected APEX item can be changed to any value using the Javascript Console in most browsers like so;


                 

                Ok, let's take an example.

                 

                I have a page with a Javascript API used to render an Oracle Mapviewer Map (such as Google Map).

                 

                The data rendered on the map are filtered depending on user privileges. For instance, a user has access to a specific layer and can move objects on the map for this layer (but not for others).

                 

                When the user validates a move on the map, an Ajax call is made on the application process to update the object attributes into the database.

                 

                So the id and the attributes of the object are passed to the application process.

                 

                How can I then be sure that the user will not modify the id of the object and update an unwanted object?

                 

                Thank you for your help.

                 

                 

                Max

                • 5. Re: Good practices for application processes
                  Recx Ltd

                  Hi Max,

                   

                  Thanks for explaining that, i see now. You will absolutely need to check in the process that the ID being passed is still valid for the currently logged on user, I would definitely use the global temporary variables apex_application.g_x for this.

                   

                  Also make sure that the object attributes are what you expect or ensure they do not result in an SQL injection (asserted) or Cross-site Scripting condition (properly escaped). You can use a regular expression to sanitise the attribute data if necessary, an expression I used just the other day;

                   

                  regexp_replace(apex_application.g_x01, '[^#0-9a-fA-F]', '')

                   

                  Which restricted the input to hex colour coding format, i.e. '#7f7f7f'

                   

                  Hope this helps

                   

                  regards,

                  • 6. Re: Good practices for application processes
                    Christian Neumueller-Oracle

                    Hi,

                     

                    regular expressions are great tools to sanitize input. However, range expressions depend on the selected language and the NLS_SORT parameter. Consider this example:

                     

                    SQL> alter session set nls_language='estonian';
                    SQL> select regexp_replace('apex','[^a-z]','!') from dual;
                    
                    REGEXP_REPLA
                    ------------
                    ape!
                    
                    SQL> alter session set nls_language='american';
                    SQL> select regexp_replace('apex','[^a-z]','!') from dual;
                    
                    REGEXP_REPLA
                    ------------
                    apex

                     

                    In line 2, the regexp_replace function has to take into account that the nls_language uses an alphabet where x comes after z. The details about how character ranges behave are here:

                     

                    http://docs.oracle.com/cd/E16655_01/server.121/e17750/ch5lingsort.htm#NLSPG302

                     

                    Regards,

                    Christian

                    • 7. Re: Good practices for application processes
                      Recx Ltd

                      Very good point. For full ranges it will probably be better to use the built in character sets for alpha numeric etc., and add any other characters on top;

                       

                      regexp_replace(apex_application.g_x01, '[^_[:alnum:]]', '')


                      - Some people, when confronted with a problem, think “I know, I'll use regular expressions.”   Now they have two problems. -

                       

                      regards,

                      • 8. Re: Good practices for application processes
                        Christian Neumueller-Oracle

                        Yes, character classes can be used, but e.g. [:alnum:] matches numbers and unicode alphabet characters, not only the ascii 0-9a-z range. This may or may not be desired:

                         

                        APEX_050000@apx50> select regexp_replace('apäx','[^[:alnum:]]','!') from dual;
                        apäx
                        APEX_050000@apx50> select regexp_replace('apäx','[^0-9a-z]','!') from dual;
                        ap!x
                        
                        

                        Sometimes it is just necessary to specify each character explicitly.

                         

                        Regards,

                        Christian

                        • 9. Re: Good practices for application processes
                          mnoscars

                          RecxLtd a écrit:

                           

                          Hi Max,

                           

                          Thanks for explaining that, i see now. You will absolutely need to check in the process that the ID being passed is still valid for the currently logged on user, I would definitely use the global temporary variables apex_application.g_x for this.

                           

                          Also make sure that the object attributes are what you expect or ensure they do not result in an SQL injection (asserted) or Cross-site Scripting condition (properly escaped). You can use a regular expression to sanitise the attribute data if necessary, an expression I used just the other day;

                           

                          regexp_replace(apex_application.g_x01, '[^#0-9a-fA-F]', '')

                           

                          Which restricted the input to hex colour coding format, i.e. '#7f7f7f'

                           

                          Hope this helps

                           

                          regards,

                           

                          Hello,

                           

                          Sorry for delay and thank you very much. Sure this really helps!

                           

                          One last scenario :

                           

                          Let's say that I have a report page based on a SQL query : "select * from my_table where id = :PXX_ID"

                           

                          If I display the report page using htmldb_get when the user clicks on an object, I guess I have to check the same things.

                           

                          So I probably should write a function to check the user input and my query should become something like "select * from my_table where id = :PXX_ID and check_id(:PXX_ID) = 'Y' "

                           

                          Am I right?

                           

                          Regards,

                           

                          Max

                          • 10. Re: Good practices for application processes
                            mnoscars

                            Hello Christian,

                             

                            Wow yes this is a very good point. I did not know that and would not have even thought about it.

                             

                            Thank you for this information.

                             

                            Regards,

                             

                            Max

                            • 11. Re: Good practices for application processes
                              Recx Ltd

                              Hi Max,

                               

                              Yes, if PXX_ID item is unprotected then that is one way of ensuring the ID is set within the correct range, it may have a performance impact there.

                               

                              I would consider protecting PXX_ID with item protection and checking the ID in the process using your function for better performance.

                               

                              Obviously without actually seeing the application it is a bit difficult to advise but by the looks of it you are thinking in the right direction.

                               

                              regards,