Home

SOAP and INET objects should not be used

  • Vulnerability
  • Critical

Rule description

  • SOAP and INET PowerBuilder objects do not support use of TLS 1.2 and that makes it vulnerable to attacks

 

Non-compliant Code Example 

global function string hyperlinktourl (integer id)

integer li_rc
inet iinet_base
veinet veiinet_base
iinet_base = CREATE inet
veiinet_base = CREATE veinet

SetPointer(HourGlass!)
li_rc = &iinet_base.HyperlinkToURL("https://www.visual-expert.com")
li_rc = veiinet_base.HyperlinkToURL("https://www.visual-expert.com")

DESTROY iinet_base


Return ""
end function
global function string getUrl (integer id)

integer li_rc
inet linet_main
internetresult luo_data  // as defined above
veinet veiinet
veinternetresult veluo_data

veiinet = CREATE veinet
linet_main = CREATE inet
luo_data = CREATE internetresult

SetPointer(HourGlass!)
li_rc = &
  linet_main.GetURL("https://www.visual-expert.com", luo_data)
li_rc = &
  linet_main.GetURL("https://www.visual-expert.com", veluo_data)

li_rc = veiinet.GetURL("https://www.visual-expert.com", luo_data)
li_rc = veiinet.GetURL("https://www.visual-expert.com", veluo_data)

SetPointer(Arrow!)
IF li_rc = 1 THEN
   MessageBox("Success!", string(luo_data))
ELSE
   MessageBox("Failure!", "Oops rc:" + string(li_rc))
END IF

DESTROY luo_data
DESTROY linet_main

Return "
end function
global function string postUrl (integer id)

Blob lblb_args
String ls_headers
String ls_url
Long ll_length
inet iinet
veinet veiinet
veinternetresult iir_msgbox
iinet = CREATE inet
veiinet = CREATE veinet

iir_msgbox = CREATE veinternetresult
ls_url = "https://www.visual-expert.com/"
ls_url += "EN/powerbuilder-code-pb/"
ls_url += "function-source-analysis-documentation-impact.html?"
lblb_args = blob("")
ll_length = Len(lblb_args)
ls_headers = "Content-Length: " &
   +String(ll_length) + "~n~n"
iinet.PostURL &
   (ls_url, lblb_args, ls_headers, 8080, iir_msgbox)

veiinet.PostURL &
   (ls_url, lblb_args, ls_headers, 8080, iir_msgbox)


Return ""
end function
global function string getproductbyid (integer id);

SoapConnection soapConnection 
ProductClientProxy productProxyObject
long rVal, lLog
string productName_string, str_endpoint

str_endpoint = "http://services.xmethods.net:80/soap"
soapConnection = create SoapConnection

lLog = soapConnection.SetOptions("SoapLog=~"C:\ProductProxySoapLog.log~"")

rVal = soapConnection.CreateInstance(productProxyObject, &
   "ProductClientProxy", str_endpoint)


try

   productName_string = productProxyObject.GetProductName(id)
   // Invoke service
   messagebox("Product Detail", "Product Name : " &
   +productName_string)

catch (SoapException e)
   messagebox("Error", "Cannot invoke Web service")
   Return ""
    // error handling   
end try
destroy soapConnection


Return productName_string
end function
global function string callINETHyperlinkToURL (integer id)
integer li_rc
SetPointer(HourGlass!)
li_rc = &
  HyperlinkToURL("https://www.visual-expert.com")

Return ""
end function
global function string callINETGET (integer id)
integer li_rc
internetresult luo_data  // as defined above
luo_data = CREATE internetresult

SetPointer(HourGlass!)
li_rc = &
  GetURL("https://www.visual-expert.com", luo_data)
SetPointer(Arrow!)
IF li_rc = 1 THEN
   MessageBox("Success!", string(luo_data))
ELSE
   MessageBox("Failure!", "Oops rc:" + string(li_rc))
END IF

DESTROY luo_data

Return ""
end function
global function string callINETPOST (integer id)

Blob lblb_args
String ls_headers
String ls_url
Long ll_length
veinternetresult iir_msgbox
iir_msgbox = CREATE veinternetresult
ls_url = "https://www.visual-expert.com/"
ls_url += "EN/powerbuilder-code-pb/"
ls_url += "function-source-analysis-documentation-impact.html?"
lblb_args = blob("")
ll_length = Len(lblb_args)
ls_headers = "Content-Length: " &
   +String(ll_length) + "~n~n"
PostURL &(ls_url, lblb_args, ls_headers, 8080, iir_msgbox)


Return ""
end function

Compliant Code Example

public function integer ve_postdata (string ve_data, long buffersize);integer   isPost
string   ve_data
integer ve_li_ret
httpclient ve_client
ve_li_ret = ve_client.postdata(ve_data,buffersize)
return 1
end function
public function integer ve_getdata_package (string ve_url, ref jsonpackage json_pkg);string ls_json
string ls_error
integer ve_li_ret, li_i
httpclient ve_client
ve_li_ret = ve_client.sendrequest("GET", ve_url)
if ve_li_ret < 0 then
	messagebox("Error","Failed")
else

    ve_li_ret = ve_client.getresponsebody(ls_json)

    if ve_li_ret > 0 then
         ls_error = json_pkg.loadstring(ls_json)

        if ls_error = '' then

        else
                messagebox(gs_msg_title, "Load Jpackage Failed")

        end if


    end if
end if

return 1
end function
Visual Expert 2020
 VEPBRULE1