small note about security

lovasoa · lovasoa · commit f68f4a001b4b · 2023-11-12T00:00:11.000+01:00
diff --git a/examples/official-site/component_not_found.sql b/examples/official-site/component_not_found.sql
@@ -0,0 +1,32 @@
+select 'dynamic' as component, properties FROM example WHERE component = 'shell' LIMIT 1;
+
+select 
+    'hero'                 as component,
+    'Not found'              as title,
+    'Sorry, the component you were looking for does not exist.' as description_md,
+    'https://upload.wikimedia.org/wikipedia/commons/thumb/2/2b/Sad_clown.jpg/640px-Sad_clown.jpg' as image,
+    '/documentation.sql'   as link,
+    'Back to the documentation' as link_text;
+
+-- Friendly message after an XSS or SQL injection attempt
+set $attack = CASE WHEN
+    $component LIKE '%<%' or $component LIKE '%>%' or $component LIKE '%/%' or $component LIKE '%;%'
+    or $component LIKE '%--%' or $component LIKE '%''%' or $component LIKE '%(%'
+THEN 'attacked' END;
+
+select 
+    'alert'                    as component,
+    'A note about security'    as title,
+    'alert-triangle'           as icon,
+    'teal'                     as color,
+    TRUE              as important,
+    'SQLPage takes secutity very seriously.
+Fiddling with the URL to try to access data you are not supposed to see, or to
+trigger a SQL or javacript injection, should never work.
+
+However, if you think you have found a security issue, please
+report it and we will fix it as soon as possible.
+' as description
+where $attack = 'attacked';
+select 'safety.sql' as link, 'More about SQLPage security' as title where $attack='attacked';
+select 'https://github.com/lovasoa/SQLpage/security' as link, 'Report a vulnerability' as title where $attack='attacked';
diff --git a/examples/official-site/documentation.sql b/examples/official-site/documentation.sql
@@ -1,5 +1,11 @@
+-- ensure that the component exists and do not render this page if it does not
+select 'redirect' as component,
+    'component_not_found.sql?component=' || sqlpage.url_encode($component) as link
+where $component is not null and not exists (select 1 from component where name = $component);
+
 -- This line, at the top of the page, tells web browsers to keep the page locally in cache once they have it.
 select 'http_header' as component, 'public, max-age=600, stale-while-revalidate=3600, stale-if-error=86400' as "Cache-Control";
+
 select 
     'dynamic' as component,
     json_set(
diff --git a/examples/official-site/safety.sql b/examples/official-site/safety.sql
@@ -99,6 +99,10 @@ and to respect [security best practices](https://cheatsheetseries.owasp.org/chea
 Passwords are [hashed with a salt](https://en.wikipedia.org/wiki/Salt_(cryptography)) using the
 [argon2](https://en.wikipedia.org/wiki/Argon2) algorithm.
 
+However, if you implement your own session management system using the [`cookie` component](/documentation.sql?component=cookie#component),
+you should be careful to follow the [OWASP session management best practices](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#cookies).
+Implementing your own session management system is not recommended if you are a non-technical user and don''t have a good understanding of web security.
+
 ## Database connections
 
 SQLPage uses a fixed pool of database connections, and will never open more connections than the ones you
