SQL-injection possible in PGStore.prototype.quotedTable

[bobnil]

The function PGStore.prototype.quotedTable is vulnerable to SQL-injection, if the input has double quotes. If schemaName is set to 'web".session WHERE $1=$1;--' it will wipe the web.session table every time the prune process runs.

/**
   * Get the quoted table.
   *
   * @return {String} the quoted schema + table for use in queries
   * @access private
   */


  PGStore.prototype.quotedTable = function () {
    let result = '"' + this.tableName + '"';

    if (this.schemaName) {
      result = '"' + this.schemaName + '".' + result;
    }

    return result;
  };

There is a function quote_ident that could be used:

Return the given string suitably quoted to be used as an identifier in an SQL statement string. Quotes are added only if necessary (i.e., if the string contains non-identifier characters or would be case-folded). Embedded quotes are properly doubled.

Calling this function will require a call to the server and requires that the server is available before the table name can be resolved. This call could also get the version of the server, and warn the user if the server version is too old.

[voxpelli]

Thanks, I'll take a look at this.

A friendly note though: While this isn't a very critical security flaw (if someone is injecting vulnerable schema or table names, then one surely has other severe issues) it is recommended to contact the author through a private channel rather than disclose it publicly 😉

I'll add a note about that as well 🙂

[bobnil]

You are correct, I should have done that, and I would have if it was more serious.
As you noticed, a project that is vulnerable to this probably have more problems...

I will soon make a new pull request with a minimal fix for this.

The best way I have found so far is to use quote_ident, a sql-function

quote_ident(string text)
Return the given string suitably quoted to be used as an identifier in an SQL statement string. Quotes are added only if necessary (i.e., if the string contains non-identifier characters or would be case-folded). Embedded quotes are properly doubled.

But that requires a query to the server, and if it isn't available at startup the table name can't be determinated.

A quick fix is to double-quote duouble-quoted characters in Javascript. That's what I'm going to do in my pull request.

[voxpelli]

I have a fix ready to push, just doing some final adjustments ons 21 aug. 2019 kl. 22:53 skrev Robert Nilsson <notifications@github.com>:

…

You are correct, I should have done that, and I would have if it was more serious. As you noticed, a project that is vulnerable to this probably have more problems... I will soon make a new pull request with a minimal fix for this. The best way I have found so far is to use quote_ident <https://www.postgresql.org/docs/10/functions-string.html>, a sql-function quote_ident(string text) Return the given string suitably quoted to be used as an identifier in an SQL statement string. Quotes are added only if necessary (i.e., if the string contains non-identifier characters or would be case-folded). Embedded quotes are properly doubled. But that requires a query to the server, and if it isn't available at startup the table name can't be determinated. A quick fix is to double-quote duouble-quoted characters in Javascript. That's what I'm going to do in my pull request. — You are receiving this because you were assigned. Reply to this email directly, view it on GitHub <#151?email_source=notifications&email_token=AAAINGMYE26BWDYQKEMI663QFWTL7A5CNFSM4IOFI5L2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD43C52Y#issuecomment-523644651>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAAINGJNBYRD4FKDOJ6IQZLQFWTL7ANCNFSM4IOFI5LQ> .

[voxpelli]

Fixed in 6.0.1, thanks!

[voxpelli]

An advisory has been published: GHSA-xqh8-5j36-4556