Access security in mod_plsql or EPG

With mod_plsql or EPG (embedded pl/sql gateway) all the procedures (that meet the conditions) are available to be accessed by the web. That could be a security problem if you do not protect your procedure for that.
mod_plsql and EPG (DBMS_EPG) provide two way to deal with that:

the DAD proprieties:
PlsqlExclusionList (in EPG it's exclusion-list) - allow to specify a Blacklist of procedure name. It's default varies with versions but normally it's
sys.*, dbms_*, utl_*,owa_*,owa.*,htp.*,htf.*,wpg_docload.*
That mean for instance that any call with call name like utl_* cannot be accessed.
Be advised that in some clients the configuration can be other and maybe your "web packages that always work" could get an access error message!

PlsqlRequestValidationFunction (in EPG it's request-validation-function) – allow the specification of a function that will provide (more) blacklisting or whitelisting. The function must have a spec like the following (the name of the function is the only one that can change)
function <function_name> (procedure_name IN varchar2) return boolean

If the return is TRUE then the access is allowed else access is not allowed and the client with get and HTTP Forbidden message.

An example of a whitelisting. You have a table my_pages with all the procedure names (in column name)that can be called by the web (It's the best practice because the programmer must have explicit put there the procedure name for it to be allowed)

FUNCTION my_validation_check (procedure_name IN VARCHAR2)
    li_check   PLS_INTEGER;
    SELECT 1
      INTO li_check
      FROM my_pages
     WHERE name = UPPER (procedure_name);

END my_validation_check;

Other gateways have similar options and some even more options (like whitelist in the DAD configuration).

Good and secure codding!

No comments:

Post a Comment

Os comentários são moderados.
The comments are moderated.