Fix a potential newline SQL injection bug

Author: clovett

Source/WPF/MoneyPackage/BundleArtifacts/MoneyPackage.appinstaller.xml

@@ -1,2 +1,2 @@
 <?xml version="1.0" encoding="utf-8"?>
-<AppInstaller DisplayName="MyMoney.Net" IsBundle="true" Version="2.0.0.6" DisplayPublisher="Chris Lovett" SupportedArchitectures="neutral" OutputFolder="D:\git\clovett\MyMoney.Net\Source\WPF\MoneyPackage\AppPackages\" Description="MyMoney is a rich client .NET application for managing your personal finances. It is written entirely in C# and is designed for programmers who want easy access to their data and who want to quickly and easily add their own features. Your data will not be locked up in some proprietary format, it is yours to do with as you like." MinOS="10.0.18362.0" CertificateUri="https://lovettsoftwarestorage.blob.core.windows.net/downloads/MyMoney.Net/MoneyPackage_2.0.0.6_Test/MoneyPackage_2.0.0.6_AnyCPU.cer" PackageUri="https://lovettsoftwarestorage.blob.core.windows.net/downloads/MyMoney.Net/MoneyPackage_2.0.0.6_Test/MoneyPackage_2.0.0.6_AnyCPU.msixbundle" AppInstallerFile="https://lovettsoftwarestorage.blob.core.windows.net/downloads/MyMoney.Net/MoneyPackage.appinstaller" LogoPath="D:\git\clovett\MyMoney.Net\Source\WPF\MoneyPackage\Images\StoreLogo.png" TileColor="transparent" />
+<AppInstaller DisplayName="MyMoney.Net" IsBundle="true" Version="2.0.0.7" DisplayPublisher="Chris Lovett" SupportedArchitectures="neutral" OutputFolder="D:\git\clovett\MyMoney.Net\Source\WPF\MoneyPackage\AppPackages\" Description="MyMoney is a rich client .NET application for managing your personal finances. It is written entirely in C# and is designed for programmers who want easy access to their data and who want to quickly and easily add their own features. Your data will not be locked up in some proprietary format, it is yours to do with as you like." MinOS="10.0.18362.0" CertificateUri="https://lovettsoftwarestorage.blob.core.windows.net/downloads/MyMoney.Net/MoneyPackage_2.0.0.7_Test/MoneyPackage_2.0.0.7_AnyCPU.cer" PackageUri="https://lovettsoftwarestorage.blob.core.windows.net/downloads/MyMoney.Net/MoneyPackage_2.0.0.7_Test/MoneyPackage_2.0.0.7_AnyCPU.msixbundle" AppInstallerFile="https://lovettsoftwarestorage.blob.core.windows.net/downloads/MyMoney.Net/MoneyPackage.appinstaller" LogoPath="D:\git\clovett\MyMoney.Net\Source\WPF\MoneyPackage\Images\StoreLogo.png" TileColor="transparent" />

Source/WPF/MoneyPackage/BundleArtifacts/neutral.txt

@@ -1,2 +1,2 @@
-MainPackage=D:\git\clovett\MyMoney.Net\Source\WPF\MoneyPackage\bin\AnyCPU\Release\MoneyPackage_2.0.0.6_AnyCPU.msix
-SymbolPackage=D:\git\clovett\MyMoney.Net\Source\WPF\MoneyPackage\obj\Release\Symbols\MoneyPackage_2.0.0.6_AnyCPU.appxsym
+MainPackage=D:\git\clovett\MyMoney.Net\Source\WPF\MoneyPackage\bin\AnyCPU\Release\MoneyPackage_2.0.0.7_AnyCPU.msix
+SymbolPackage=D:\git\clovett\MyMoney.Net\Source\WPF\MoneyPackage\obj\Release\Symbols\MoneyPackage_2.0.0.7_AnyCPU.appxsym

Source/WPF/MoneyPackage/Package.appxmanifest

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Package xmlns="http://schemas.microsoft.com/appx/manifest/foundation/windows10" xmlns:uap="http://schemas.microsoft.com/appx/manifest/uap/windows10" xmlns:rescap="http://schemas.microsoft.com/appx/manifest/foundation/windows10/restrictedcapabilities" IgnorableNamespaces="uap rescap">
-  <Identity Name="43906ChrisLovett.MyMoney.Net" Publisher="CN=Chris Lovett, O=Chris Lovett, S=Washington, C=US" Version="2.0.0.6" />
+  <Identity Name="43906ChrisLovett.MyMoney.Net" Publisher="CN=Chris Lovett, O=Chris Lovett, S=Washington, C=US" Version="2.0.0.7" />
   <Properties>
     <DisplayName>MyMoney.Net</DisplayName>
     <PublisherDisplayName>Chris Lovett</PublisherDisplayName>

Source/WPF/MyMoney/Attachments/StatementManager.cs

@@ -369,7 +369,7 @@ void CheckFileHashes(StatementIndex index)
             var dir = Path.GetDirectoryName(index.FileName);
             foreach(var item in index.Items)
             {
-                if (string.IsNullOrEmpty(item.Hash))
+                if (string.IsNullOrEmpty(item.Hash) && !string.IsNullOrEmpty(item.Filename))
                 {
                     var statementFile = Path.Combine(dir, item.Filename);
                     item.Hash = Sha256Hash(statementFile);

Source/WPF/MyMoney/Database/SqlDatabase.cs

@@ -919,7 +919,7 @@ public void AddLogin(string userName, string password)
         static string DBString(string s)
         {
             if (s == null) return null;
-            return s.Replace("'", "''");
+            return s.Replace("'", "''").Replace("\r","\\r").Replace("\n", "\\n");
         }
 
         static string TwoDigit(int i)

Source/WPF/MyMoney/Ofx/Ofx.cs

@@ -1114,32 +1114,6 @@ internal XDocument SendOfxRequest(XDocument doc)
             return result;
         }
 
-        private int GetSignOnStatusCode(XElement ofx)
-        {
-            XElement signOnMsgResponse = ofx.Element("SIGNONMSGSRSV1");
-            if (signOnMsgResponse != null)
-            {
-                XElement sonOnResponse = signOnMsgResponse.Element("SONRS");
-                if (sonOnResponse != null)
-                {
-                    XElement status = sonOnResponse.Element("STATUS");
-                    if (status != null)
-                    {
-                        XElement code = sonOnResponse.Element("CODE");
-                        if (code != null)
-                        {
-                            int i = 0;
-                            if (int.TryParse(code.Value, out i))
-                            {
-                                return i;
-                            }
-                        }
-                    }
-                }
-            }
-            return -1;
-        }
-
         public static OFX LoadCachedProfile(MyMoney money, OnlineAccount oa)
         {
             string profilePath = Path.Combine(OfxLogPath, OfxRequest.GetLogfileName(money, oa) + "PROF_RS.xml");
@@ -1838,17 +1812,6 @@ public XDocument ParseOfxResponse(Stream stm, bool implementSecurity)
                 sgml.InputStream = new StringReader(sb.ToString());
 
                 doc = XDocument.Load(sgml);
-
-                //Trim newlines.
-                foreach (XNode node in doc.DescendantNodes())
-                {
-                    XText text = node as XText;
-                    if (text != null)
-                    {
-                        text.Value = text.Value.Trim().Replace(Environment.NewLine, " ");
-                    }
-                }
-
                 sr.Close();
             }
             return doc;
@@ -1894,8 +1857,7 @@ public void ProcessResponse(XDocument doc, OfxDownloadData results)
 
             XElement e = doc.SelectExpectedElement("OFX/SIGNONMSGSRSV1/SONRS/STATUS/CODE");
 
-            int statusCode = 0;
-            int.TryParse(e.Value.Trim(), out statusCode);
+            int statusCode = e.GetElementValueAsInt();
             if (statusCode != 0)
             {
                 OfxErrorCode ec = (OfxErrorCode)statusCode;
@@ -1946,7 +1908,7 @@ public void ProcessResponse(XDocument doc, OfxDownloadData results)
                 statusCode = 0;
                 if (e != null)
                 {
-                    int.TryParse(e.Value.Trim(), out statusCode);
+                    statusCode = e.GetElementValueAsInt();
                 }
                 if (statusCode != 0)
                 {
@@ -2004,7 +1966,7 @@ void ProcessCreditCardResponse(XElement cc, OfxDownloadData results)
                 {
                     throw new OfxException("TRNUID is missing in the response");
                 }
-                string id = idElement.Value.Trim();
+                string id = idElement.Value.GetNormalizedValue();
 
                 // Account can be null if we are loading a .ofx file off disk                
                 Account a = (Account)this.truidMap[id];
@@ -2065,7 +2027,7 @@ void ProcessBankResponse(XElement br, OfxDownloadData results)
                 {
                     throw new OfxException("TRNUID is missing in the response");
                 }
-                string id = idElement.Value.Trim();
+                string id = idElement.Value.GetNormalizedValue();
 
                 // Account can be null if we are loading a .ofx file off disk                
                 Account a = (Account)this.truidMap[id];
@@ -2127,7 +2089,7 @@ void ProcessInvestmentResponse(XElement ir, OfxDownloadData results)
                 {
                     throw new OfxException("TRNUID is missing in the response");
                 }
-                string id = idElement.Value.Trim();
+                string id = idElement.Value.GetNormalizedValue();
 
                 // Account can be null if we are loading a .ofx file off disk                
                 Account a = (Account)this.truidMap[id];
@@ -2726,10 +2688,10 @@ private Transaction ProcessInvestmentTransaction(Account a, XElement e)
             XElement invtran = e.Element("INVTRAN");
             if (invtran != null)
             {
-                t.FITID = invtran.SelectElementValue("FITID");
+                t.FITID = invtran.SelectElementValue("FITID").GetNormalizedValue();
                 t.Date = ParseOfxDate(invtran.SelectElementValue("DTTRADE"));
                 // todo: should use DTSETTLE for stock splits.
-                t.Memo = invtran.SelectElementValue("MEMO");
+                t.Memo = invtran.SelectElementValue("MEMO").GetNormalizedValue();
             }
             t.Amount = e.SelectElementValueAsDecimal("TOTAL");
             return t;
@@ -2839,10 +2801,10 @@ Transaction ProcessInvestmentBankTransaction(Account a, XElement e)
             XElement s = e.Element("STMTTRN");
             if (s != null)
             {
-                t.FITID = s.SelectElementValue("FITID");
+                t.FITID = s.SelectElementValue("FITID").GetNormalizedValue();
                 t.Date = ParseOfxDate(s.SelectElementValue("DTPOSTED"));
                 t.Amount = s.SelectElementValueAsDecimal("TRNAMT");
-                t.Memo = s.SelectElementValue("MEMO");
+                t.Memo = s.SelectElementValue("MEMO").GetNormalizedValue();
 
                 switch (s.SelectElementValue("TRNTYPE"))
                 {
@@ -2901,7 +2863,7 @@ Transaction ProcessMarginInterest(Account a, XElement e)
         private static void ProcessCurrency(XElement currency, Transaction t)
         {
             if (currency == null) return;
-            string symbol = currency.SelectElementValue("CURSYM");
+            string symbol = currency.SelectElementValue("CURSYM").GetNormalizedValue();
 
             if (symbol != "USD")
             {
@@ -2912,10 +2874,10 @@ private static void ProcessCurrency(XElement currency, Transaction t)
         Security ProcessSecId(XElement secId)
         {
             if (secId == null) return null;
-            string uniqueId = secId.SelectElementValue("UNIQUEID");
+            string uniqueId = secId.SelectElementValue("UNIQUEID").GetNormalizedValue();
             if (string.IsNullOrEmpty(uniqueId)) return null;
 
-            string idType = secId.SelectElementValue("UNIQUEIDTYPE");
+            string idType = secId.SelectElementValue("UNIQUEIDTYPE").GetNormalizedValue();
             if (string.IsNullOrEmpty(uniqueId)) idType = "CUSIP";
 
             SecurityInfo info = null;
@@ -3021,11 +2983,11 @@ Dictionary<string, SecurityInfo> ReadSecurityInfo(XDocument doc)
                     XElement secInfo = e.SelectElement("SECINFO");
                     if (secInfo != null)
                     {
-                        s.UniqueId = secInfo.SelectElementValue("SECID/UNIQUEID");
-                        s.UniqueIdType = secInfo.SelectElementValue("SECID/UNIQUEIDTYPE");
-                        s.Name = secInfo.SelectElementValue("SECNAME");
-                        s.Ticker = secInfo.SelectElementValue("TICKER");
-                        string price = secInfo.SelectElementValue("UNITPRICE");
+                        s.UniqueId = secInfo.SelectElementValue("SECID/UNIQUEID").GetNormalizedValue();
+                        s.UniqueIdType = secInfo.SelectElementValue("SECID/UNIQUEIDTYPE").GetNormalizedValue();
+                        s.Name = secInfo.SelectElementValue("SECNAME").GetNormalizedValue();
+                        s.Ticker = secInfo.SelectElementValue("TICKER").GetNormalizedValue();
+                        string price = secInfo.SelectElementValue("UNITPRICE").GetNormalizedValue();
 
                         Security sec = null;
                         if (!string.IsNullOrEmpty(s.Ticker))
@@ -3132,45 +3094,44 @@ private void ProcessStatement(OfxDownloadData results, Account a, XElement srs)
 
                 foreach (XElement sr in transactionList.Elements("STMTTRN"))
                 {
+                    string fitid = sr.SelectExpectedElement("FITID").Value.GetNormalizedValue();
 
-                    string fitid = sr.SelectExpectedElement("FITID").Value.Trim();
-
-                    DateTime dt = ParseOfxDate(sr.SelectExpectedElement("DTPOSTED").Value.Trim());
-                    decimal amount = decimal.Parse(sr.SelectExpectedElement("TRNAMT").Value.Trim());
+                    DateTime dt = ParseOfxDate(sr.SelectExpectedElement("DTPOSTED").Value.GetNormalizedValue());
+                    decimal amount = decimal.Parse(sr.SelectExpectedElement("TRNAMT").Value.GetNormalizedValue());
                     if (amount == 0 && a.Type == AccountType.Credit)
                         continue; // ignore those annoying credit checks.
 
                     string number = null;
 
                     XElement e = sr.Element("CHECKNUM");
-                    if (e != null)
+                    if (e != null && int.TryParse(e.Value.GetNormalizedValue(), out int num))
                     {
-                        number = Int32.Parse(e.Value.Trim()).ToString();
+                        number = num.ToString();
                     }
 
                     string payee = null;
                     if ((e = sr.Element("NAME")) != null)
                     {
-                        payee = e.Value.Trim();
+                        payee = e.Value.GetNormalizedValue();
                     }
                     else if ((e = sr.Element("PAYEE")) != null)
                     {
-                        payee = e.Value.Trim();
+                        payee = e.Value.GetNormalizedValue();
                     }
                     else if ((e = sr.Element("PAYEE2")) != null)
                     {
-                        payee = e.Value.Trim();
+                        payee = e.Value.GetNormalizedValue();
                     }
 
 
                     string memo = null;
                     if ((e = sr.Element("MEMO")) != null)
                     {
-                        memo = e.Value.Trim();
+                        memo = e.Value.GetNormalizedValue();
                     }
                     else if ((e = sr.Element("MEMO2")) != null)
                     {
-                        memo = e.Value.Trim();
+                        memo = e.Value.GetNormalizedValue();
                     }
 
                     string s = "Bill Payment ";
@@ -3273,7 +3234,7 @@ private void ProcessStatement(OfxDownloadData results, Account a, XElement srs)
         // process INVACCTFROM
         private bool CheckAccountId(ref Account a, AccountType accountType, XElement from, OfxDownloadData results)
         {
-            string accountid = from.SelectElementValue("ACCTID");
+            string accountid = from.SelectElementValue("ACCTID").GetNormalizedValue();
 
             Account temp = new Account() { Name = accountid, AccountId = accountid, Type = accountType };
 
@@ -3446,7 +3407,7 @@ private Account FindAccountByOfxId(string accountId)
 
         private static bool CheckUSD(XElement srs, OfxDownloadData results, Account a)
         {
-            string dollar = srs.SelectElementValue("CURDEF");
+            string dollar = srs.SelectElementValue("CURDEF").GetNormalizedValue();
 
             // todo: how to support multi-currency properly...
             //if (dollar != "USD")

Source/WPF/MyMoney/Setup/changes.xml

@@ -1,6 +1,9 @@
 <?xml version="1.0" encoding="utf-8" ?>
 <changes>
-  <change version="2.0.0.6" date="5/172022">
+  <change version="2.0.0.7" date="7/28/2022">
+    - Fix a potential newline SQL injection bug.
+  </change>
+  <change version="2.0.0.6" date="5/17/2022">
     - Fix initial setup of Attachments folder.
   </change>
   <change version="2.0.0.5" date="5/2/2022">

Source/WPF/MyMoney/Utilities/XmlHelpers.cs

@@ -116,5 +116,20 @@ public static string GetRequiredAttribute(this XmlElement cdef, string name, str
             }
             return null;
         }
+
+        public static string GetNormalizedValue(this string s)
+        {
+            return s.Trim().Replace("\r\n", " ").Replace('\r', ' ').Replace('\n', ' ');
+        }
+
+        public static int GetElementValueAsInt(this XElement e, int defaultValue = 0)
+        {
+            int i = 0;
+            if (int.TryParse(e.Value.GetNormalizedValue(), out i))
+            {
+                return i;
+            }
+            return defaultValue;
+        }
     }
 }

Source/WPF/Version/Version.cs

@@ -6,5 +6,5 @@
 // And also sync this with the MSIX package manifest in
 // ~\MyMoney.Net\Source\WPF\MoneyPackage\Package.appxmanifest
 
-[assembly: AssemblyVersion("2.0.0.6")]
-[assembly: AssemblyFileVersion("2.0.0.6")]
+[assembly: AssemblyVersion("2.0.0.7")]
+[assembly: AssemblyFileVersion("2.0.0.7")]

Source/WPF/Version/Version.props

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <PropertyGroup>
-    <ApplicationRevision>6</ApplicationRevision>
-    <ApplicationVersion>2.0.0.6</ApplicationVersion>
+    <ApplicationRevision>7</ApplicationRevision>
+    <ApplicationVersion>2.0.0.7</ApplicationVersion>
   </PropertyGroup>
 </Project>