Select to view content in your preferred language

Is ' where 1=1' safe?

3518
7
01-24-2022 06:00 AM
文瑞蘇
Emerging Contributor

Dears

In our office, usage of 'where 1-1' using featureLayer.js in arcgis javascript api is blocked for owasp top 10 reasons.
Please is there any reason to convince the admin that 'where 1=1' is not a hack attacked and is safe to use, or is there any alternative to using where 1=1 in arcgis javascript featureLayer.js api

https://developers.arcgis.com/javascript/latest/api-reference/esri-layers-FeatureLayer.html

 

Tags (1)
0 Kudos
7 Replies
BlakeTerhune
MVP Frequent Contributor

SQL does not have a true Boolean datatype so 1=1 is a way of evaluating to a constant true so all records are returned. You could use any SQL statement that evaluates to true.

 

2=2
'true'='true'
'all records'='all records'

 

 

 

文瑞蘇
Emerging Contributor

Thanks for your reply.

I use 'all records' = 'all records' or 'true' = 'true'

The firewall still block it!

0 Kudos
BlakeTerhune
MVP Frequent Contributor

Are you sure it's the 1=1 where clause that's the problem? Can you successfully query with any where clause?

objectid > 0
shape is not null

 You might need to request that your organization create a firewall rule allowing traffic from your application server to the ArcGIS Server on ports 6080 and 6443.

文瑞蘇
Emerging Contributor

Yes, I can successfully query with where clause such as 

objectid >=0
shape is not null

but not

1=1

My organization use Web application firewall. They say usage '1=1' is not allow for OWASP Top 10 reason....

How can I proof that This usage is safe for ArcGIS server rest service?

 

 

0 Kudos
BlakeTerhune
MVP Frequent Contributor

@文瑞蘇 wrote:

How can I proof that This usage is safe for ArcGIS server rest service?


Apparently these types of expressions are common in SQL injection attacks.

How to Prevent SQL Injection: Attacks and Defense Techniques - Tutorial and Best Practices (ptsecuri...

I don't know how you would convince your organization's firewall to allow these expressions. You might instead have to find another way to query your data. Maybe there's an ID field in your data that is never null or some other where clause that should always return all rows. Something more specific to your data that isn't 1=1.

文瑞蘇
Emerging Contributor

Thanks again for the detailed instructions.

I saw in ArcGIS  featureLayer api .the default  clause with where  have ‘1=1 ’

https://raw.githubusercontent.com/Esri/arcgis-js-api/4master/layers/FeatureLayer.js

Maybe  I'll  try to replace it with some other where clause that should always return all rows.

 

'

 

0 Kudos
sandrooco
Occasional Contributor

In case any esri employee sees this: are there actual reasons behind desicions such as having to use 1=1 or returning 200s for failed requests and then include error objects with status 500 in the response?
This really isn't how rest should be done.