Dears
In our office, usage of 'where 1-1' using featureLayer.js in arcgis javascript api is blocked for owasp top 10 reasons.
Please is there any reason to convince the admin that 'where 1=1' is not a hack attacked and is safe to use, or is there any alternative to using where 1=1 in arcgis javascript featureLayer.js api
https://developers.arcgis.com/javascript/latest/api-reference/esri-layers-FeatureLayer.html
SQL does not have a true Boolean datatype so 1=1 is a way of evaluating to a constant true so all records are returned. You could use any SQL statement that evaluates to true.
2=2
'true'='true'
'all records'='all records'
Thanks for your reply.
I use 'all records' = 'all records' or 'true' = 'true'
The firewall still block it!
Are you sure it's the 1=1 where clause that's the problem? Can you successfully query with any where clause?
objectid > 0
shape is not null
You might need to request that your organization create a firewall rule allowing traffic from your application server to the ArcGIS Server on ports 6080 and 6443.
Yes, I can successfully query with where clause such as
objectid >=0
shape is not null
but not
1=1
My organization use Web application firewall. They say usage '1=1' is not allow for OWASP Top 10 reason....
How can I proof that This usage is safe for ArcGIS server rest service?
@文瑞蘇 wrote:How can I proof that This usage is safe for ArcGIS server rest service?
Apparently these types of expressions are common in SQL injection attacks.
I don't know how you would convince your organization's firewall to allow these expressions. You might instead have to find another way to query your data. Maybe there's an ID field in your data that is never null or some other where clause that should always return all rows. Something more specific to your data that isn't 1=1.
Thanks again for the detailed instructions.
I saw in ArcGIS featureLayer api .the default clause with where have ‘1=1 ’
https://raw.githubusercontent.com/Esri/arcgis-js-api/4master/layers/FeatureLayer.js
Maybe I'll try to replace it with some other where clause that should always return all rows.
'
In case any esri employee sees this: are there actual reasons behind desicions such as having to use 1=1 or returning 200s for failed requests and then include error objects with status 500 in the response?
This really isn't how rest should be done.