topic Re: Is ' where 1=1' is safe in ArcGIS JavaScript Maps SDK Questions

Is ' where 1=1' safe?

文瑞蘇 — Wed, 26 Jan 2022 11:13:25 GMT

Dears

In our office, usage of 'where 1-1' using featureLayer.js in arcgis javascript api is blocked for owasp top 10 reasons.
Please is there any reason to convince the admin that 'where 1=1' is not a hack attacked and is safe to use, or is there any alternative to using where 1=1 in arcgis javascript featureLayer.js api

https://developers.arcgis.com/javascript/latest/api-reference/esri-layers-FeatureLayer.html

Re: Is ' where 1=1' is safe

BlakeTerhune — Mon, 24 Jan 2022 14:19:47 GMT

SQL does not have a true Boolean datatype so 1=1 is a way of evaluating to a constant true so all records are returned. You could use any SQL statement that evaluates to true.

2=2 'true'='true' 'all records'='all records'

Re: Is ' where 1=1' is safe

sandrooco — Mon, 24 Jan 2022 20:08:07 GMT

In case any esri employee sees this: are there actual reasons behind desicions such as having to use 1=1 or returning 200s for failed requests and then include error objects with status 500 in the response?
This really isn't how rest should be done.

Re: Is ' where 1=1' is safe

文瑞蘇 — Tue, 25 Jan 2022 01:43:08 GMT

Thanks for your reply.

I use 'all records' = 'all records' or 'true' = 'true'

The firewall still block it!

Re: Is ' where 1=1' is safe

BlakeTerhune — Tue, 25 Jan 2022 14:16:19 GMT

Are you sure it's the 1=1 where clause that's the problem? Can you successfully query with any where clause?

objectid > 0 shape is not null

You might need to request that your organization create a firewall rule allowing traffic from your application server to the ArcGIS Server on ports 6080 and 6443.

Re: Is ' where 1=1' is safe

文瑞蘇 — Tue, 25 Jan 2022 23:45:50 GMT

Yes, I can successfully query with where clause such as

objectid >=0 shape is not null

but not

1=1

My organization use Web application firewall. They say usage '1=1' is not allow for OWASP Top 10 reason....

How can I proof that This usage is safe for ArcGIS server rest service?

Re: Is ' where 1=1' is safe

BlakeTerhune — Wed, 26 Jan 2022 14:26:54 GMT

@文瑞蘇 wrote:
How can I proof that This usage is safe for ArcGIS server rest service?

Apparently these types of expressions are common in SQL injection attacks.

How to Prevent SQL Injection: Attacks and Defense Techniques - Tutorial and Best Practices (ptsecurity.com)

I don't know how you would convince your organization's firewall to allow these expressions. You might instead have to find another way to query your data. Maybe there's an ID field in your data that is never null or some other where clause that should always return all rows. Something more specific to your data that isn't 1=1.

Re: Is ' where 1=1' is safe

文瑞蘇 — Thu, 27 Jan 2022 00:25:23 GMT

Thanks again for the detailed instructions.

I saw in ArcGIS featureLayer api .the default clause with where have ‘1=1 ’

https://raw.githubusercontent.com/Esri/arcgis-js-api/4master/layers/FeatureLayer.js

Maybe I'll try to replace it with some other where clause that should always return all rows.