Coordinated Disclosure Timeline
- 2022-11-22: Sent an email with the report to the maintainer
- 2023-01-02: Sent another email asking for status
- 2023-01-09: Posted in Discussions asking for a security contact
- 2023-01-10: Maintainer acknowledged the vulnerability
- 2023-02-12: Created PVR reports for vulnerabilities
- 2023-04-10: PVR reports accepted by the maintainer
- 2023-04-18: Advisories published
Summary
The Archery project contains multiple SQL injection vulnerabilities, that may allow an attacker to query the connected databases.
Product
Archery
Tested Version
Details
SQL injection exists in the project due to unsafe user input being concatenated with a SQL query, that is passed to methods executing a query in a database. All identified issues exist due to the controller files in folder sql taking user input and not sanitizing it, which later is passed to execution. Since the controller methods are connected to and allows querying all the databases that are connected to Archery, then all databases making queries with concatenated input will be affected. In this way, one vulnerable endpoint allows for exploiting several databases. To exploit most of these SQL injections, knowledge of the exploited instance name that is defined in Archery, is needed.
The issues were found by using the default py/sql-injection CodeQL query with additional taint steps.
Issue 1: SQL injection in sql/instance.py endpoint describe method (GHSL-2022-101)
In several below listed cases, user input coming from the tb_name parameter value, db_name parameter value or schema_name in the sql/instance.py > describe endpoint is passed to the below defined describe_table methods in given SQL engine implementations, which concatenate user input unsafely into a SQL query and afterwards pass it to the query method of each database engine for execution. Please take into account that in some cases all three parameter values are concatenated, in other only one or two of them.
sql/engines/clickhouse.py>describe_tablemethod concatenates input which is passed to execution on the database in thesql/engines/clickhouse.py>querymethodsql/engines/mssql.py>describe_tablemethod concatenates input which is passed to execution on the database in thesql/engines/mssql.py>querymethod in line 310 and line 311sql/engines/mysql.py>describe_tablemethod concatenates input which is passed to execution on the database in thesql/engines/mysql.py>querymethodsql/engines/oracle.py>describe_tablemethod concatenates input which is passed to execution on the database in thesql/engines/oracle.py>querymethod in line 640, line 645 and line 647sql/engines/pgsql.py>describe_tablemethod concatenates input which is passed to execution on the database in thesql/engines/pgsql.py>querymethod on line 182 and line 183sql/engines/phoenix.py>describe_tablemethod concatenates input which is passed to execution on the database in thesql/engines/phoenix.py>querymethod
Issue 2: Multiple SQL injections in sql_api/api_workflow.py endpoint ExecuteCheck post method (GHSL-2022-102)
User input coming from the db_name parameter value and the full_sql parameter value in the api_workflow.py ExecuteCheck post endpoint is passed to the below defined methods in given SQL engine implementations, which concatenate user input unsafely into a SQL query and afterwards pass it to the query method of each database engine for execution.
sql/engines/clickhouse.py>execute_checkmethod passes unsafe user input into thesql/engines/clickhouse.py>get_table_enginemethod, which concatenates input which is passed to execution on the database in thesql/engines/clickhouse.pyquerymethod on line 130.sql/engines/goinception.py>execute_checkmethod concatenates input which is passed to execution on the database in thesql/engines/goinception.pyquerymethod.sql/engines/oracle.py>execute_checkmethod passes unsafe user input into theobject_name_checkmethod, which is passed to execution on the database in thesql/engines/oracle.py[querymethod] on line 640.
Issue 3: SQL injection in sql_api/api_workflow.py endpoint ExecuteCheck post method passing unsafe input to sql/engines/oracle.py explain_check method (GHSL-2022-103)
User input coming from the db_name parameter value in the api_workflow.py ExecuteCheck post endpoint is passed through oracle.py execute_check method and to the explain_check method for execution on line 574.
Issue 4: Multiple SQL injections in sql/instance.py param_edit method (GHSL-2022-104)
User input coming from the variable_name and variable_value parameter value in the sql/instance.py param_edit endpoint is passed to the below defined methods in given SQL engine implementations, which concatenate user input unsafely into a SQL query and afterwards pass it to the query method of each database engine for execution.
sql/engines/goinception.py>set_variablemethod concatenates input which is passed to execution on the database in thesql/engines/goinception.pyquerymethod on line 153.sql/engines/goinception.py>get_variablesmethod concatenates input which is passed to execution on the database in thesql/engines/goinception.pyquerymethod on line 153.sql/engines/mysql.py>set_variablemethod concatenates input which is passed to execution on the database in thesql/engines/mysql.pyquerymethod on line 341.sql/engines/mysql.py>get_variablesmethod concatenates input which is passed to execution on the database in thesql/engines/mysql.pyquerymethod on line 341.
Issue 5: Multiple SQL injections in sql/data_dictionary.py table_list method (GHSL-2022-105)
User input coming from the db_name in the sql/data_dictionary.py table_list endpoint is passed to the below defined methods in given SQL engine implementations, which concatenate user input unsafely into a SQL query and afterwards pass it to the query method of each database engine for execution.
sql/engines/mssql.py>get_group_tables_by_dbmethod passes unsafe user input tosql/engines/mssql.pyquerymethod on line 310.sql/engines/oracle.py>get_group_tables_by_dbmethod concatenates input which is passed to execution on the database in thesql/engines/oracle.pyquerymethod on line 640, line 645 and line 647.
Issue 6: SQL injection in data_dictionary.py table_info method (GHSL-2022-106)
User input coming from the db_name in and the tb_name parameter values in the sql/data_dictionary.py table_info endpoint is passed to the below defined methods in given SQL engine implementations, which concatenate user input unsafely into a SQL query and afterwards pass it to the query method of each database engine for execution.
sql/engines/mssql.py>get_table_meta_datamethod passes unsafe user input tosql/engines/mssql.pyquerymethod on line 310 and line 311.sql/engines/mssql.py>get_table_desc_datamethod passes unsafe user input tosql/engines/mssql.pyquerymethod on line 310 and line 311.sql/engines/mssql.py>get_table_index_datamethod passes unsafe user input tosql/engines/mssql.pyquerymethod on line 310 and line 311.sql/engines/oracle.py>get_table_meta_datamethod concatenates input which is passed to execution on the database in thesql/engines/oracle.pyquerymethod on line 640, line 645 and line 647.sql/engines/oracle.py>get_table_desc_datamethod concatenates input which is passed to execution on the database in thesql/engines/oracle.pyquerymethod on line 640, line 645 and [line 647.]sql/engines/oracle.py>get_table_index_datamethod concatenates input which is passed to execution on the database in thesql/engines/oracle.pyquerymethod on line 640, line 645 and [line 647.]
Issue 7: SQL injection in sql_optimize.py optimize_sqltuningadvisor method (GHSL-2022-107)
User input coming from the db_name in parameter value in the sql_optimize.py optimize_sqltuningadvisor is passed to the oracle.py sqltuningadvisor on line 1347 method for execution.
Issue 8: SQL injection in sql_optimize.py explain method (GHSL-2022-108)
User input coming from the db_name in parameter value in the explain endpoint is passed to the below defined query methods of each database engine for execution.
Impact
All of the issues may lead to Information Disclosure.
Credit
These issues were discovered and reported by GHSL team member @sylwia-budzynska (Sylwia Budzynska).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-101, GHSL-2022-102, GHSL-2022-103, GHSL-2022-104, GHSL-2022-105, GHSL-2022-106, GHSL-2022-107, or GHSL-2022-108 in any communication regarding these issues.