Reputation: 1023
Sanitize User Input in SAS
What is a safe way to sanitize user input from SAS stored process parameters?
SAS stored processes can accept user input via parameters. At a high level, these user inputs can contain special text that will cause issues in SAS.
For example, if a user inputs Bad"Text into a lastName, the following code is problematic:
Proc SQL;
Select *
From Foo
Where Bar = "&LastName";
Quit;
Preventing this specific instance is easy, but what if the user is attempting to inject code.
Replacing all " in a macro variable isn't enough if the user includes targeted characters like '"%&.
Is there a robust solution towards escaping special characters in macro variables that later need to be used, in this case in the where clause of a pass through SQL statement?
Upvotes: 1
Views: 414
Answers (1)
Reputation: 27508
The SAS stored process server should already be protecting your SAS session from client attempted injections.
From "SAS 9.1.3 Integration Technologies » Developer's Guide"
Special Character Quoting
Input parameter values are specified by the stored process client at run time. The author of a stored process has little control over the values a client can specify. Setting the values directly into SAS macro variables would allow clients to insert executable macro code into a stored process and could lead to unexpected behavior or unacceptable security risks. For example, if an input parameter named COMP was set to "Jones&Comp." and passed directly into the macro variable, any references to &COMP in the stored process program would lead to an invalid recursive macro reference. To avoid this problem, stored process parameters are masked with SAS macro quoting functions before being set into macro variables. In the previous example, the parameter COMP would be set with the equivalent of:%let COMP=%nrstr(Jones&Comp.);
The stored process can then freely use &COMP without special handling for unusual input values. Special characters that are masked for input parameters are the ampersand (&), apostrophe ('), percent sign (%), quotation marks ("), and semicolon (;).
There might be special cases where you want to unmask some or all of the special characters in an input parameter. TheSTPSRV_UNQUOTE2function unmasks only matched apostrophe (') or quotation mark (") characters. This can be useful for passing in parameters that are used as SAS options. The%UNQUOTEmacro function unquotes all characters in an input parameter, but you should only use this function in very limited circumstances. You should carefully analyze the potential risk from unexpected client behavior before unquoting input parameters. Remember that stored processes can be executed from multiple clients and some client interfaces perform little or no checking of input parameter values before they are passed to the stored process.
Note: An input parameter to a stored process executing on a workspace server cannot contain both apostrophe (') and quotation mark (") characters. Attempting to set such an input parameter will result in an error.
If for some reason a macro value becomes unquoted I would recommend using %SUPERQ(myMacroVar) which resolve the value in a manner more safe than &myMacroVar
Having a 'test bed' that checks a stored process (which at the simplest interpretation is just a macro) outside a stored process server may lead you to think the injection is possible because the test bed may not quote the parameters in the same way the server would.
Upvotes: 2
Related Questions
- SAS Latex Destination: Suppress SAS escape chars
- SAS INPUT DATA WITH SPECIAL CHARACTERS
- Reading from input with double trailing @@
- SAS INPUT COLUMN
- Data input in SAS
- Where to specify input @ in SAS?
- Formatting Data for SAS
- getting input format
- Avoiding a SAS error message: "NOTE: Invalid argument to function INPUT"
- Special Characters in SAS