Tech Tip: Malicious code injection explained and how to guard against it.
PRODUCT: 4D | VERSION: 15.1 | PLATFORM: Mac & Win
Published On: February 18, 2016
A feature of 4D Transformation Tags, previously called 4D HTML Tags, that many developers either take for granted, or are unaware of, is its recursive processing. What is "recursive processing?"
4D tags are interpreted recursively: 4D always attempts to reinterpret the result of a transformation and, if a new transformation has taken place, an additional interpretation is performed, and so on until the product obtained no longer requires any further transformation.
The recursive processing of 4D Transformation Tags opens the door for "malicious code injection" which is code which is intended to disrupt the processing of an application or corrupt the data within the database. Consider the following code snippet...
myName:=<!--#4DHTML QUIT 4D-->" // malicious injection input:="My name is: <!--#4DHTML myName-->" PROCESS 4D TAGS(input;output) // recursive processing |
Because 4D Transformation Tags 4DHTML and 4DTEXT will process 4D variables and 4D expressions, the first pass processes the variable "myName" exactly as it was entered and upon the second processing of 4DHTML it executes the command QUIT 4D and quits the application.
Because database code often works with data that was, at one time or another, introduced through an external source (user input, import, web, etc.), it is advisable to not use transformation tags such as 4DEVAL or 4DSCRIPT, which evaluate parameters, directly with this sort of data.
In addition, according to the principle of recursion, malicious code may itself include transformation tags. In this case, it is imperative to use the 4DTEXT tag. The code above changed to that below to defensively guard against malicious code injection.
myName:="<!--#4DHTML QUIT 4D-->" // malicious injection input:="My name is: <!--#4DTEXT myName-->" PROCESS 4D TAGS(input;output) // recursive processing |
Since 4DTEXT translates "<" and ">" into HTML character equivalents, the processed text comes out as “My name is: <!--#4DHTML QUIT 4D-->” and the running or the application is not halted.