Skip to content

Commit

Permalink
refactored sql injection vulnerability. Mapped static entries with mu…
Browse files Browse the repository at this point in the history 
…ltiple redundant pieces of code..
  • Loading branch information
@adamcongdon
adamcongdon committed Dec 16, 2024
1 parent 328ea9b commit 07785cd
Show file tree
Hide file tree
Showing 4 changed files with 104 additions and 81 deletions.
62 changes: 0 additions & 62 deletions vHC/HC_Reporting/Functions/Collection/DB/CDbWorker.cs
View file

This file was deleted.

115 changes: 100 additions & 15 deletions vHC/HC_Reporting/Functions/Collection/DB/CQueries.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,19 @@
// MIT License
using System;
using System.Data;
using System.Data.SqlClient;
using System.IO;
using System.Security.Principal;
using VeeamHealthCheck.Shared;
using VeeamHealthCheck.Shared.Logging;
using static System.Runtime.InteropServices.JavaScript.JSType;

namespace VeeamHealthCheck.Functions.Collection.DB
{
class CQueries
{
private CLogger log = CGlobals.Logger;
private readonly string _cString;

private DataTable _sqlInfo;
private string _sqlEdition;
Expand All @@ -24,9 +28,10 @@ class CQueries
public DataTable JobTypes { get { return _jobTypes; } }


public CDbWorker dbWorker = new();
public CQueries()
{
CDbAccessor dbs = new CDbAccessor();
_cString = dbs.DbAccessorString();
try
{
GetSqlServerInfo();
Expand Down Expand Up @@ -111,7 +116,7 @@ private void GetSqlServerVersion()
string query = "Select @@version";

//CDbWorker d = new();
DataTable dt = Fetch(query);
DataTable dt = FetchSqlServerVersion();

if (dt == null)
{
Expand Down Expand Up @@ -145,48 +150,128 @@ private void GetSqlServerVersion()
log.Info("getting sql server version..done!");

}
private DataTable FetchSqlServerVersion()
{
try
{
using var connection = new SqlConnection(_cString); ;
using SqlCommand command = new SqlCommand("Select @@version", connection);


connection.Open();
DataTable t = new();

t.Load(command.ExecuteReader());

connection.Close();
log.Info("executing sql query..done!");
return t;
}
catch (Exception e)
{
log.Error(e.Message);
return null;
}
}

private void GetSqlServerInfo()
{
log.Info("getting sql server info");
string query = "select cpu_count, hyperthread_ratio, physical_memory_kb from sys.dm_os_sys_info";
_sqlInfo = Fetch(query);
_sqlInfo = FetchSqlServerInfo();
log.Info("getting sql server info..done!");
}
private DataTable FetchSqlServerInfo()
{
try
{
using var connection = new SqlConnection(_cString);
string query = "select cpu_count, hyperthread_ratio, physical_memory_kb from sys.dm_os_sys_info";

using SqlCommand command = new SqlCommand(query, connection);


connection.Open();
DataTable t = new();

t.Load(command.ExecuteReader());

connection.Close();
log.Info("executing sql query..done!");
return t;
}
catch (Exception e)
{
log.Error(e.Message);
return null;
}
}

private void GetBjobInfo()
{
string query = "select type,name,repository_id, included_size from [Bjobs]";
_jobInfo = Fetch(query);
_jobInfo = FetchBJobInfo();

try { DumpDataToCsv(_jobInfo); }
catch(Exception e){ log.Error("Failed to dump bjobs to csv.."); log.Error(e.Message); }
}
private DataTable FetchBJobInfo()
{
try
{
using var connection = new SqlConnection(_cString);
string query = "select type,name,repository_id, included_size from [Bjobs]";

using SqlCommand command = new SqlCommand(query, connection);


connection.Open();
DataTable t = new();

t.Load(command.ExecuteReader());

connection.Close();
log.Info("executing sql query..done!");
return t;
}
catch (Exception e)
{
log.Error(e.Message);
return null;
}
}

private void GetJobSummary()
{
log.Info("getting job summary info");
string query = "select type from [Bjobs]";
_jobTypes = Fetch(query);
_jobTypes = FetchJobSummaryInfo();
log.Info("getting job summary info..ok!");
}

private DataTable Fetch(string query)
private DataTable FetchJobSummaryInfo()
{
try
{
log.Info("fetching sql data..");
//CDbWorker d = new();
DataTable dt = dbWorker.ExecQuery(query, new System.Collections.Generic.Dictionary<string, object>());
using var connection = new SqlConnection(_cString);
string query = "select type from [Bjobs]";

log.Info("fetching sql data..ok!");
return dt;
using SqlCommand command = new SqlCommand(query, connection);


connection.Open();
DataTable t = new();

t.Load(command.ExecuteReader());

connection.Close();
log.Info("executing sql query..done!");
return t;
}
catch (Exception e)
{
log.Error(e.Message);
return null;
}
}


}

}
4 changes: 2 additions & 2 deletions vHC/HC_Reporting/VeeamHealthCheck.csproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,10 @@
<Company>Veeam</Company>
<Authors>AdamC</Authors>
<ApplicationIcon>Health_Check_Icon.ico</ApplicationIcon>
<AssemblyVersion>2.0.0.568</AssemblyVersion>
<AssemblyVersion>2.0.0.569</AssemblyVersion>
<SignAssembly>False</SignAssembly>
<DelaySign>false</DelaySign>
<FileVersion>2.0.0.568</FileVersion>
<FileVersion>2.0.0.569</FileVersion>
<DebugType>full</DebugType>
<SelfContained>true</SelfContained>
<!--These 2 lines are what produce the single file utility. Possibly doesn't work...-->
Expand Down
4 changes: 2 additions & 2 deletions vHC/VhcXTests/VhcXTests.csproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@

<IsPackable>false</IsPackable>
<IsTestProject>true</IsTestProject>
<AssemblyVersion>1.0.0.295</AssemblyVersion>
<FileVersion>1.0.0.295</FileVersion>
<AssemblyVersion>1.0.0.296</AssemblyVersion>
<FileVersion>1.0.0.296</FileVersion>
</PropertyGroup>

<ItemGroup>
Expand Down

0 comments on commit 07785cd

Please sign in to comment.