platform/libinjection/CHANGELOG.md
2019-08-16 10:42:40 -04:00

288 lines
12 KiB
Markdown
Vendored

# NEXT
* [#126](/client9/libinjection/issues/126) oracle false negative
* [#117](/client9/libinjection/issues/117) [#116](/client9/libinjection/issues/116) - overread in XSS
* [#112](/client9/libinjection/issues/112) fix shared library on macOS
* [#122](/client9/libinjection/issues/122) [#115](/client9/libinjection/issues/115) - false positive issue for XSS
* [#113](/client9/libinjection/issues/113) save space in struct
* [#126](/client9/libinjection/issues/126) add usage to sqli cli tool
* [#125](/client9/libinjection/issues/125) many false positives
* [#114](/client9/libinjection/issues/114) false negative with TSQL and "IF NOT" operation
# v3.9.2 - 2016-05-21
* Release of whatever changes have been made over the last 2.5 years.
# v3.9.1 - 2013-12-26
Day-After-Christmas Edition
* No functional changes
* Code reverted to strict C90 style to allow builds on embedded systems, Windows and FreeBSD
* For gcc this means `-std=c90 -pedantic`, which seems to simulate Windows behavior on Linux
* Other minor style changes to header files.
# v3.9.0 - 2013-11-29
Black Friday Edition
* Big API Change!! everything in `libinjection.h` is now `libinjection_sqli.h`. And a new super simple API is in `libinjection.h`
* Improvements to folder to prevent bypasses using SQL types (casts). This eliminated about 400 fingerprints as well.
* Blacklisted a very degenerate MySQL ODBC case, that is highly unlike to be used in 'real inputs'. thanks to @LightOS foreporting.. not clear who found it originally.
* Over 400 unit tests now!
* Compiles clean under clang with `-Weverything -Wno-padded` `-Wno-padded` is excluded since it's architecture dependant. See `clang.sh` to see how to invoke.
* PHP documentation fixes, thanks @LightOS
# v3.8.0 - 2013-10-18
LAMP Special Edition: MySQL and PHP improvements
* [Issue #33](https://github.com/client9/libinjection/issues/54) Fixes MySQL in latin1-mode use of `%A0` as whitespace. This was tricky since `%A0` might be part of larger UTF-8 encoding as well. Or perhaps `%C2%A0` (utf-8 encoding) might be treated as whitespace. Fortunately, MySQL only seems to treat `%A0` as whitespace in latin1 mode. HT [@ru_raz0r](https://twitter.com/ru_raz0r)
* Fixes to Lua testdriver and portability fixes
* Much improved PHP build and test. It now uses `phpize` and builds and tests like a real module.
* API CHANGE: the macro `LIBINJECTION_VERSION` has been replaced by `const char* libinjection_version()`. This allows us to increment the version number without having to regenerate SWIG (or other) bindings for minor releases.
NOTE:
Pregenerated [SWIG](http://www.swig.org/) bindings are removed. You'll need to install SWIG before running `make`. SWIG is packaged on virtually every OS so this should not be a problem.
Here's why:
* Latest versions of swig appear to generate poor quality bindings for LUA and Python. Bugs are filed upstream [1341](https://sourceforge.net/p/swig/bugs/1341/), [1343](https://sourceforge.net/p/swig/bugs/1343/), [1345](https://sourceforge.net/p/swig/bugs/1345/). These are fixed or will be fixed in swig 3.0.0.
* In addition, I've received a number of reports of generated code failing various static analysis
* I can't triangulate which SWIG for which language for which OS will work for you
* I may be switching to [libffi](http://cffi.readthedocs.org/) for python, and [luajit.ffi](http://luajit.org/ext_ffi.html) for lua(jit) in the future, anyways.
# v3.7.1 -- 2013-10-13
* Remove un-needed code
# v3.7.0 -- 2013-10-13
Major Release
* [Issue #54](https://github.com/client9/libinjection/issues/54): Add test vectors from [Arne Swinnen](http://www.arneswinnen.net/2013/09/automated-sql-injection-detection/). Thanks [qerub@github](https://github.com/qerub)
* Minor fingerprint update for [Issue #54](https://github.com/client9/libinjection/issues/54). I don't really think it's valid SQL but it's safe enough to detect without false positives.
* [Issue #55](https://github.com/client9/libinjection/issues/55): Parse MS SQLSERVER use of \[brackets\] for column and table names. This is a big one that closes a lot of holes. Thanks [nroggle@github](https://github.com/nroggel)
* [Issue #56](https://github.com/client9/libinjection/issues/56): fix buffer over-read. Thanks [safe3@github](https://github.com/Safe3) and [flily@github](https://github.com/flily)
* Remove use of `-fstack-protector` as it breaks valgrind detecting memory problems
Read more about it http://blog.client9.com/2013/10/12/gcc-valgrind-stackprotector.html
* Fixed folding issue where `1,-sin(1))` would be folded as `1 (1)`
* Add more test cases and improved test coverage to [98.8%](https://libinjection.client9.com/cicada/artifacts/libinjection-coverage-unittest/lcov-html/c/libinjection_sqli.c.gcov.html)
# v3.6.0 -- 2013-09-11
* New PHP API
* Big fingerprint update
** about 500 new fingerprints added based on fuzzing tests by Reto Ischi
** about 700 impossible, dead fingerprints removed
** adding folding rule for "sqltype sqltype -> sqltype" since
`select binary binary binary 1` is valid
* Other minor fingerprints added
* -maybe- API change as typedefs and structs were re-arranged for SWIG
# v3.5.3 -- 2013-08-25
* Fingerprint update -- `BETWEEN` operation bypasses
* Fingerprint update -- `ANY/SOME` quasi-function bypasses
* Fixed issue with folding where `1-(2-3)` would fold to "nothing" instead of `1`
* Improved test coverage to [98.0%](https://libinjection.client9.com/cicada/artifacts/libinjection-coverage-unittest/lcov-html/c/libinjection_sqli.c.gcov.html)
* More adjustments to the PHP/MYSQL backtick to reduce false positives
# v3.5.2 -- 2013-08-21
* Fingerprint update. Credit: Reto Ischi
# v3.5.1 -- 2013-08-21
* found regression in handling of PHP/MySQL backticks. Tests added
* Dead code removed.
* Improved test coverage to [97.7%](https://libinjection.client9.com/cicada/artifacts/libinjection-coverage-unittest/lcov-html/c/libinjection_sqli.c.gcov.html)
# v3.5.0 -- 2013-08-21
* Bug fix for libinjection_sqli_reset @brianrectanus
https://github.com/client9/libinjection/pull/50
* Non-critical parser fix for numbers with oracle's ending
suffix. "SELECT 1FROM .." -> (SELECT, 1, FROM) not
(SELECT, 1F, ROM)
* Yet another fix for disambiguating Oracle's "f" suffix for numbers HT @LightOS
* Better parsing of generated number forms of "10.e" and "10.10e"
(these are actually table specifiers!) HT @LightOS
* Change sizing of some static arrays to have a length >= 8
For GCC based applications, this allows -fstack-protector to work
and -Wstack-protector will now not emit errors.
* Added '-fstack-protector-all -D_FORTIFY_SOURCE=2' to default CFLAGS.
About 10% performance loss with -fstack-protector-all
* Improvements in reducing false positives, HT modsecurity team
* Add fingerprint, HT @FluxReiners
* Support for parsing of old ODBC-style typing, e.g. 'select {foo 1};' (valid in MySQL)
* Fix tokenization of "IF EXISTS(....", "IF NOT EXISTS(..."
* Fi possible stack over-read, and improve detection of "sp_password" flag
in short sqli HT modsecurity team
# v3.4.1 2013-07-18
* Fingerprint update only HT @LightOS
# v3.4.0 2013-07-18
* Fix regression with COLLATE
* Handle "procedure analyze" under MySQL
* Make API most robust when setting flags
* Add folding API
* Add new all-C test driver to improve testing speed
* Makefile cleanups
* Fired Jenkins! Using in-house system.
* Fixed bypass reported by @FluxReiners
# v3.3.0 2013-07-13
* change how backslash is handled to catch old MSSQL servers sqli
See http://websec.ca/kb/sql_injection#MSSQL_Allowed_Intermediary_Chars_AND-OR
for details
* Reworking of COLLATE to handle MySQL, TSQL types automatically
* Handle bizarro world TSQL '\%1' which is parsed as "0 % 1"
* Better stacked query detection, fixing some regressions
* Folding improvements
* False positive improvements
# v3.2.0 2013-07-12
* Parse binary litterals "0b010101" used by at least mysql and pgsql
* Add fingerprints '1&EUE', '1&EkU' to work around ambiguous parsing rules
"-1.for" == '-1.f OR' vs. '-1. FOR' CREDIT @LightOS
* Add parsing rules for COLLATION in MySQL, CREDIT @LightOS
* Reduce false positives by removing all fingerprints that contained "sn"
* Improvement in handling MySQL 'binary' quasi-operator/type
* Improvements in folding
* Removed dependency on SWIG for installing python module
# v3.1.0 2013-07-02
* Fix for parsing Oracle numeric literals
* Fix for oracle whitespace with null char.
* Add unusual SQL join types to keywords lists
* Minor fixes to python API examples
# v3.0.0 2013-06-23
Big Release and Big Engine change. Highly recommend
* Numerous evasions and false positives fixed!
* Tokenizer is now really dumb, and publically exposed. See `libinjection_sqli_tokenize`.
* Folding engine completely rewritten to be simpler and easier to extend, debug, port.
* MySQL `backticks` now handled correctly
* @"var" and @'var' parsed correctly (mysql)
* ":=" operator parsed correctly
* non-ascii SQL variables and barewords handled correctly
* less false positives and those that are false positives
are more "indeterminate cases" and are only in a few
fingerprints
* autogeneration of fingerprints with trivial SQL variations
* support for pgsql $ strings
* support for oracle's q and nq strings
* support for mysql's n strings
* parsing stats exposed
* new swig bindings for python and lua, with callbacks into original scripting
language for accept/reject of fingerprints (i.e. manage fingerprints in
script, not C code)
* Improved parsing of various special cases in MySQL
* Ban MySQL conditional comments. If we find them, it's marked as SQLi immediately.
* Probably a bunch of other stuff too
# v2.0.4 2013-05-21 IMPORTANT
All users are advised to upgrade due to risk of DOS
## security
* more fingerprints, more tests
* Issue 34: fix infinite loop
# v2.0.3 2013-05-21
## security
* Add variations on '1U(((', thanks @LightOS
* Add automatically all variations on other cases of
'parens padding'
# v2.0.2 2013-05-21
## security
* Added fingerprint 'nU(kn' and variations, thanks to
discussion with @ModSecurity .
# v2.0.1 2013-05-21
## security
* Added fingerprint knknk, thanks @d0znpp
# v2.0.0 2013-05-17
Version 2 is more a software engineering release than SQLi.
The API, the code, and filenames are improved for embedded
use. Please see the README.md file for details on use.
## security
* Fix Issue30: detection of more small sqli forms with fingerprint "1c".
* Fix Issue32: false positive of '*/*' of type 'oc' Thanks to @brianrectanus
## API Changes
BIG CHANGES
* File name changes. These are the only relevant files:
* `c/libinjection.h`
* `c/libinjection_sqli.c`
* `c/libinjection_sqli_data.h`
* `COPYING`
* Just need to include `libinjection.h` and link with `libinjection_sqli_.c`
* `sqlparse_private.h` and `sqli_fingerprints.h` are deprecated.
Only use `#include "libinjection.h"`
* API name changes `is_sqli` and `is_string_sqli` are now
`libinjection_is_sqli` and `libinjection_is_string_sqli`
* API change, `libinjection_is_sqli` now takes a 5th arg for callback data
* API change, `libinjection_is_sqli` accepts `NULL` for arg4 and arg5
in which case, a default lookup of fingerprints is used.
* `sqlmap_data.json` now includes fingerprint information, so people making
ports only need to parse one file.
## other
* Allow `clang` compiler (also in Jenkins, a build with clang and
make-scan is done)
* Optimizations should result in > 10% performance improvement
for normal workloads
* Add `sqlite3` special functions and keywords (since why not)
# v1.2.0 2013-05-06
## security
* fix regression in detecting SQLi of type '1c'
##
* improved documentation, comments, edits.
# v1.1.0 2013-05-04
## security
* Fix for nested c-style comments used by postgresql and transact-sql.
Thanks to @Kanatoko for the report.
* Numerous additions to SQL functions lists (in particular pgsql, transact-sql
and ms-access functions)
Thanks to Christoffer Sawicki (GitHub "qerub") for report on cut-n-paste error.
Thanks to @ryancbarnett for reminder that MS-ACCESS exists ;-)
* Adding of fingerprints to detect HPP attacks.
* Algorihmically added new fingerprints to detect new _future_ sqli attacks. All of these
new fingerprints have no been seen 'in the wild' yet.
## other
* Replaced BSD memmem with optimzed version. This eliminates all 3rd party code.
* Added alpha python module (python setup.py install)
* Added sqlparse_fingerprints.h and sqlparse_data.json to aid porting and embeddeding.
* Added version number in sqlparse.h, based on
http://www.python.org/dev/peps/pep-0386/#normalizedversion
# v1.0.0 2013-04-24
* retroactive initial release
* all memory issues fixed