diff --git a/examples/official-site/component_not_found.sql b/examples/official-site/component_not_found.sql new file mode 100644 index 00000000..d52297b6 --- /dev/null +++ b/examples/official-site/component_not_found.sql @@ -0,0 +1,32 @@ +select 'dynamic' as component, properties FROM example WHERE component = 'shell' LIMIT 1; + +select + 'hero' as component, + 'Not found' as title, + 'Sorry, the component you were looking for does not exist.' as description_md, + 'https://upload.wikimedia.org/wikipedia/commons/thumb/2/2b/Sad_clown.jpg/640px-Sad_clown.jpg' as image, + '/documentation.sql' as link, + 'Back to the documentation' as link_text; + +-- Friendly message after an XSS or SQL injection attempt +set $attack = CASE WHEN + $component LIKE '%<%' or $component LIKE '%>%' or $component LIKE '%/%' or $component LIKE '%;%' + or $component LIKE '%--%' or $component LIKE '%''%' or $component LIKE '%(%' +THEN 'attacked' END; + +select + 'alert' as component, + 'A note about security' as title, + 'alert-triangle' as icon, + 'teal' as color, + TRUE as important, + 'SQLPage takes secutity very seriously. +Fiddling with the URL to try to access data you are not supposed to see, or to +trigger a SQL or javacript injection, should never work. + +However, if you think you have found a security issue, please +report it and we will fix it as soon as possible. +' as description +where $attack = 'attacked'; +select 'safety.sql' as link, 'More about SQLPage security' as title where $attack='attacked'; +select 'https://github.com/lovasoa/SQLpage/security' as link, 'Report a vulnerability' as title where $attack='attacked'; \ No newline at end of file diff --git a/examples/official-site/documentation.sql b/examples/official-site/documentation.sql index b55fdacc..32dfb3f1 100644 --- a/examples/official-site/documentation.sql +++ b/examples/official-site/documentation.sql @@ -1,5 +1,11 @@ +-- ensure that the component exists and do not render this page if it does not +select 'redirect' as component, + 'component_not_found.sql?component=' || sqlpage.url_encode($component) as link +where $component is not null and not exists (select 1 from component where name = $component); + -- This line, at the top of the page, tells web browsers to keep the page locally in cache once they have it. select 'http_header' as component, 'public, max-age=600, stale-while-revalidate=3600, stale-if-error=86400' as "Cache-Control"; + select 'dynamic' as component, json_set( diff --git a/examples/official-site/safety.sql b/examples/official-site/safety.sql index 6d2d18c1..34d10c14 100644 --- a/examples/official-site/safety.sql +++ b/examples/official-site/safety.sql @@ -99,6 +99,10 @@ and to respect [security best practices](https://cheatsheetseries.owasp.org/chea Passwords are [hashed with a salt](https://en.wikipedia.org/wiki/Salt_(cryptography)) using the [argon2](https://en.wikipedia.org/wiki/Argon2) algorithm. +However, if you implement your own session management system using the [`cookie` component](/documentation.sql?component=cookie#component), +you should be careful to follow the [OWASP session management best practices](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#cookies). +Implementing your own session management system is not recommended if you are a non-technical user and don''t have a good understanding of web security. + ## Database connections SQLPage uses a fixed pool of database connections, and will never open more connections than the ones you