Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Improvement] Potential SQL injection point in generateDropDatabaseSql #2179

Closed
justinmclean opened this issue Feb 13, 2024 · 8 comments · Fixed by #2335
Closed

[Improvement] Potential SQL injection point in generateDropDatabaseSql #2179

justinmclean opened this issue Feb 13, 2024 · 8 comments · Fixed by #2335
Assignees
@zivali
Labels
good first issue Good for newcomers improvement Improvements on everything

Comments

@justinmclean
Copy link
Member

What would you like to be improved?

The database name is passed into generateDropDatabaseSql and is passed on to executeQuery without checking or validating it's contents.

How should we improve?

Verify the database name before calling executeQuery.
@justinmclean justinmclean added good first issue Good for newcomers improvement Improvements on everything labels Feb 13, 2024
@henrybear327
Copy link
Contributor

Hello @justinmclean,

I would like to work on this issue, but may I request more hints on how to go about fixing this issue?

Thank you!

@justinmclean
Copy link
Member Author

These links may help:
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection
https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html

In this case, I would check if the name is in an expected format with a regular expression or similar.

@jerryshao jerryshao added this to the Gravitino 0.5.0 milestone Feb 20, 2024
zivali added a commit to zivali/gravitino that referenced this issue Feb 24, 2024
@zivali
[apache#2179] Improvement: Potential SQL injection point in generateD…
a16eb09 
…ropDatabaseSql
@zivali zivali mentioned this issue Feb 24, 2024
Merged
zivali added a commit to zivali/gravitino that referenced this issue Feb 27, 2024
@zivali
[apache#2179] Improvement: Potential SQL injection point in generateD…
37f32fc 
…ropDatabaseSql
zivali added a commit to zivali/gravitino that referenced this issue Mar 15, 2024
@zivali
[apache#2179] Improvement: Potential SQL injection point in generateD…
3f4cfe8 
…ropDatabaseSql
@jerryshao jerryshao removed this from the Gravitino 0.5.0 milestone Apr 10, 2024
@mchades
Copy link
Contributor

mchades commented Apr 24, 2024

Has the issue been resolved after merging #3053?

@zivali
Copy link
Contributor

zivali commented May 27, 2024

I saw #3053 which originally seems to fix this issue is causing bug report for listing MySQL schema '//' in #3101. So currently we do not applyCapabilitiesOnName when dropping schema #3126.
But '/' is not a classic character in MySQL identifier.

Should we still verify the naming before dropping using the capability framework?
If so, there may be other bug reports which request supports for special characters in the future.

@mchades
Copy link
Contributor

mchades commented May 28, 2024

But '/' is not a classic character in MySQL identifier.

Although / is not a classic character in MySQL, there are indeed real user scenarios that require it to be included in the database name, so we need to allow users to operate it.

Should we still verify the naming before dropping using the capability framework?
If so, there may be other bug reports which request supports for special characters in the future.

Is there any other way to prevent potential SQL injection in generateDropDatabaseSql other than checking the name? (such as prepared-statements-with-parameterized-queries?)

If not, I think we can verify the naming before dropping using the capability framework firstly to resolve this issue. If there are other users who need to use special characters in real scenarios, we will gradually relax restrictions or make the name spec capability configurable for users. WDYT?

@zivali
Copy link
Contributor

zivali commented May 30, 2024
edited
Loading

Prepared statement seems to be designed to handle data values, not for SQL identifiers like table names or database names.
So when creating and deleting table/database, most JDBC doesn't support using prepared statement e.g. MySQL
I think we may still need to validate the naming. Does Gravitino collect user logs so that we may know what are some special characters that are currently in use by users?

@mchades
Copy link
Contributor

mchades commented May 30, 2024

This regular expression already contains the special characters that are known to be used by the user
https://github.com/datastrato/gravitino/blob/a09420dd90a413a4f4944fc628286d20f9950d1c/core/src/main/java/com/datastrato/gravitino/connector/capability/Capability.java#L87-L97

@zivali
Copy link
Contributor

zivali commented May 30, 2024
edited
Loading

Got it, thanks! I think we can add separate regex name pattern for the 4 JDBC catalog and validate naming when creating and dropping table/database for now. What do you think? :)

@mchades mchades added the 0.6.0 label Jun 18, 2024
shaofengshi pushed a commit to shaofengshi/gravitino that referenced this issue Jun 24, 2024
@zivali @shaofengshi
[apache#2179] Improvement: Improve security when creating and droppin…
5c15214 
…g schemas and tables (apache#2335)

### What changes were proposed in this pull request?

Improve security when creating and dropping schemas and tables.

This PR adds the following checks for identifier names using the
capability framework
- Regex check
- As a best practice, it's generally advised to avoid including spaces
in database names. In this PR, database names that include space will be
considered illegal.
- String length check, since SQL injection usually requires using longer
string
    - Mysql: at most 64 characters
    - Postgresql: at most 63 characters

We refer to specifications of the earliest version of DB that gravitino
currently supports:
- Postgresql identifier rules:
https://www.postgresql.org/docs/12/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS
- Mysql identifier naming:
https://dev.mysql.com/doc/refman/5.7/en/identifiers.html
- Mysql identifier length limit:
https://dev.mysql.com/doc/refman/5.7/en/identifier-length.html
### Why are the changes needed?

Fix: apache#2179 

### Does this PR introduce _any_ user-facing change?
Add name identifier checks before attempting to create or drop schemas
and tables.

### How was this patch tested?
Add IT tests.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zivali zivali

Labels
good first issue Good for newcomers improvement Improvements on everything
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[#2179] Improvement: Improve security when creating and dropping schemas and tables zivali/gravitino
5 participants
@justinmclean @jerryshao @henrybear327 @mchades @zivali