/cgi-bin/protected and /cgi-bin

Spud2004

Protected: /cgi-bin/protect in access control deny/allow
Unprotect: /cgi-bin nothing in access control
Is this the correct way to have a protected and unprotected cgi-bin folder?
This code allows displaying SQL recordsets or downloading files into a string from a protected page.
It allows secure user/password protected returning of data from cgi programs!
PowerBASIC source code:


#DIM ALL
#INCLUDE "httprequest.inc"

FUNCTION PBMAIN()
 LOCAL sURL,sUserName,sPassword,sDataReturned,sStatus AS STRING
 sURL      = "https://yoursite.com/cgi-bin/myprogram.exe?select * from parts"
 sUserName = "me"
 sPassword = "me"
 sStatus = DownloadTest(sURL,sUserName,sPassword,sDataReturned)
 IF sStatus = "OK" THEN
   ? USING$("Downloaded #, bytes",LEN(sDataReturned)),,sStatus
   ? sDataReturned
 ELSE
   ? sStatus,%MB_ICONERROR OR %MB_SYSTEMMODAL,"Download failed"
 END IF
END FUNCTION 

FUNCTION DownloadTest(sURL   AS STRING,_
              sUserName      AS STRING,_
              sPassword      AS STRING,_
              sDataReturned  AS STRING) AS STRING
 RESET sDataReturned
 DIM pHttpReq AS IWinHttpRequest
 pHttpReq = NEWCOM "WinHttp.WinHttpRequest.5.1"
 IF ISNOTHING(pHttpReq) THEN
  ? "WinHttpRequest.5.1 failure",%MB_ICONERROR OR %MB_SYSTEMMODAL,FUNCNAME$
  EXIT FUNCTION
 END IF
 pHttpReq.Open "GET", sURL, 0
 pHttpReq.SetCredentials sUserName, sPassword, %HTTPREQUEST_SETCREDENTIALS_FOR_SERVER
 pHttpReq.Send
 IF pHttpReq.StatusText <> "OK" THEN
  IF pHttpReq.StatusText = "" THEN
    FUNCTION = "No send response"
  ELSE
    FUNCTION = pHttpReq.StatusText
  END IF
 ELSE  'success
  sDataReturned = pHttpReq.ResponseText
  FUNCTION = pHttpReq.StatusText
 END IF
 pHttpReq = NOTHING
END FUNCTION

Horizon

Hello,
the exact explanation for the Allow/Deny ordering is:

Order: The order that the server follows to check if access is granted to a
client based on its IP address. If it is set to Allow/Deny, access is denied by
default and is allowed only if the IP address is in the Allow for list and is
not in the Deny for list. If it is set to Deny/Allow, access is allowed by
default and is denied only if the IP address is in the Deny for list and is not
in the Allow for list.

So what you want is to allow /cgi-bin but not to a protected directory inside of it.
Then you will need to use Deny/Allow.
That means you can access anything within /cgi-bin unless it's in the Deny list.
This way you put /cgi-bin in Allow and /cgi-bin/protect in Deny.
However your CGI PowerBasic code looks risky to me.
You use a literal arbitrary string that gets executed as a command against your database.
This could enable malicious links with intentionally malformed queries to corrupt your DB.
You want to let users download a specific recordset, so you you should 'shim' a new API and hide the SQL queries behind it:
Hardcode a list of keywords in a conditional table such as a Select statement.
Then if the keyword is like:
https://your-website/cgi-bin/get-records-set.exe?id=parts
Then you manually yourself run the appropriate query statement against your database.
This way you don't give any chance for attackers to give trick query strings to your server.
So I mean that you need not to execute anything the visitor gives you even if authenticated.
For downloading big files, you might want to create a restricted directory then implement X-Sendfile.
Basically you create a restricted folder to put downloadable files inside, and you deny remote access to it.
When authorized users want to download, in your CGI program you will be able to simply return the X-Sendfile header with the literal real path to the requested file.
Then Abyss itself will terminate the CGI script and start returning the file to the visitor.
You can do any checks you want first, then start returning X-Sendfile heades only when authorized.
Abyss only takes over the CGI session when it intercepts this header while X-Sendfile support is enabled.
For big files, it's worth thinking about it I think.

Spud2004

1) /cgi-bin/protected is correct. Great.
2) Return headers to let Abyss do the download will be implemented.
Is referencing keywords to only allow certain SQL actions have a name?
I can do it, but would like to do it the correct proven way.
I have decided to not allow any remote SQL statement access.
Many topics at this link:
https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
...

Horizon

The name of the method I mentioned is 'Allow-list Input Validation'.
Perhaps my mentioned method isn't correct if you hardcode the list of allowed keywords in every check of your code.
You will probably then want to use a general include file where you define a constant Array of keywords and their corresponding SQL statements.
Like this:
- Item 1:
[0][0]: "parts" | [0][1]: " select * from parts;"
- Item 2:
[1][0]: "payments" | [1][1]: "select * from payments;"
This way you still only allow trusted keywords but you just have to maintain the allowed keywords in one place instead of many places across your program code.
You could do something like:

Const Array ALLOWED_QUERIES = [ ["parts", "select * from parts;"], ["payments", "select * from payments;"] ]

Then you can simply try to find the visitor's keyword in the Array, and if not found you can deny processing it.
The link you shared is also a nice one, I will keep reading it.