Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Database Injection Attack vulnerability #256

Open
cdsre opened this issue Jan 15, 2025 · 1 comment
Open

Database Injection Attack vulnerability #256

cdsre opened this issue Jan 15, 2025 · 1 comment
Assignees
@l0n3star

Comments

@cdsre
Copy link
Contributor

cdsre commented Jan 15, 2025
edited
Loading

The new gsi.go resource seems significantly vulnerable to injection attacks. Unfortunately Capella free/personal tier does not allow generation of an API key for me to test this directly in terraform so this issue is raised simply from my interpretation of the go code in the provider.

The Injection vulnerability as describes by the OWASP top 10
An application is vulnerable to attack when:

  • User-supplied data is not validated, filtered, or sanitized by the application.
  • Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter.
  • Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records.
  • Hostile data is directly used or concatenated. The SQL or command contains the structure and malicious data in dynamic queries, commands, or stored procedures.

So key examples of this are taking user input directly from the plan without any sanitization or validation. Using fmt.sprint to build a dynamic query and directly using the values in the string instead of using parameterization.

There are several examples of this in the gsi code. An example is:

			ddl = fmt.Sprintf(
				"CREATE INDEX `%s` ON `%s`.`%s`.`%s`(%s) ",
				plan.IndexName.ValueString(),
				plan.BucketName.ValueString(),
				plan.ScopeName.ValueString(),
				plan.CollectionName.ValueString(),
				strings.Join(index_keys, ","),
			)

If for example the following values were put in a gsi resource for the travel sample:

resource "couchbase-capella_query_indexes" "idx" {
  organization_id = var.organization_id
  project_id      = var.project_id
  cluster_id      = var.cluster_id

  bucket_name     = var.bucket_name
  scope_name      = var.scope_name
  collection_name = var.collection_name

  index_name = var.index_name
  index_keys = var.index_keys
}

and the tfvars file was

auth_token = "<token>"

organization_id = "<organization_id>"
project_id      = "<project_id>"
cluster_id      = "<cluster_name>"

bucket_name     = "travel-sample`.`inventory`.`airline`(icao); DELETE FROM `travel-sample`.`inventory`.`airport` --"
scope_name      = ""
collection_name = ""

index_name = "bad_actor"
index_keys = [""]

This could potentially create the following ddl

CREATE INDEX `bad_actor` ON `travel-sample`.`inventory`.`airline`(icao); DELETE FROM `travel-sample`.`inventory`.`airport` --`.``.``()

This would result in the index being created but also all the documents in travel-sample.inventory.airport being deleted. I am not sure if there is anything in the capella SDK that might prevent this on the server side. But from first glance at the provider could this looks like its very vulnerable to injection attacks.

When considering the impact of this, please think about the fact that the value for an attribute may come from anywhere, user direct input, lookup from a KV like consul or aws ssm, from a CICD variable etc.

As I say I am not 100% sure this will delete all the records as I cant test in terraform without an API key.
@l0n3star l0n3star self-assigned this Jan 17, 2025
@l0n3star
Copy link
Contributor

Hi @cdsre

The database engine doesn't allow multiple delimited statements. I ran the above example and it fails:

  # couchbase-capella_query_indexes.idx will be created
  + resource "couchbase-capella_query_indexes" "idx" {
      + bucket_name     = "travel-sample`.`inventory`.`airline`(icao); DELETE FROM `travel-sample`.`inventory`.`airport` --"
      + cluster_id      = <cluster id>
      + index_keys      = [
          + "",
        ]
      + index_name      = "bad_actor"
      + organization_id = <org id>
      + project_id      = <project id>
      + status          = (known after apply)
      + with            = {
          + num_replica = (known after apply)
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

couchbase-capella_query_indexes.idx: Creating...
╷
│ Error: Failed to execute index DDL
│ 
│   with couchbase-capella_query_indexes.idx,
│   on config.tf line 70, in resource "couchbase-capella_query_indexes" "idx":
│   70: resource "couchbase-capella_query_indexes" "idx" {
│ 
│ Could not execute index CREATE INDEX `bad_actor` ON `travel-sample`.`inventory`.`airline`(icao); DELETE FROM `travel-sample`.`inventory`.`airport` --`.``.``() 
│ Error: {"code":400,"hint":"Please review your request and ensure that all required parameters are correctly provided.","httpStatusCode":400,"message":"syntax error - line 1,
│ column 74, near '...y`.`airline`(icao); ', at: DELETE (reserved word)"}

There is validation done in the API server to ensure only index DDL are allowed.

Index keys aren't escaped, but worst case is you get a parser error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@l0n3star l0n3star

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cdsre @l0n3star