Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow comments as iodata. #721

Closed
wants to merge 2 commits into from
Closed

Allow comments as iodata. #721

wants to merge 2 commits into from

Conversation

dkuku
Copy link
Contributor

@dkuku dkuku commented Dec 19, 2024
edited
Loading

When I wrote the test for the original implementation, I noticed that it couldn't be exploited when there was a ; at the end of the original statement. Postgres returned an error stating, cannot insert multiple commands into a prepared statement. Initially, I abandoned this idea as I didn't want to be the person who introduced SQLI into Postgrex. However, the more I think about it, the more useful it seems to remove the binary requirement for scanning. Without validation, we can use Iodata.

I sought advice and even posted a potentially vulnerable app on a security forum. I also conducted a self-scan using SQLMap, and it seems safe. Golang PGX is using this.

The only issue I found was at https://adeadfed.com/posts/postgresql-select-only-rce/, but I don't think it can be used after ; looking at the example. I tried but no luck.
Also sqlcommenter specification require to escape the string.

@dkuku
Copy link
Contributor Author

dkuku commented Dec 19, 2024

my example app:
https://sqlcomm.fly.dev/?id=*%2Fselect+*+from+users+%2F

@josevalim
Copy link
Member

I would prefer to keep it as a binary, in case we need to do checks in the future. This is really something we don't want to get wrong and we want to have space to fix it in the future. For example, I am almost sure we should check for null bytes too. There is basically no reason to have either null bytes or */ in a comment. I think appending ; is a good idea anyway.

@dkuku
Copy link
Contributor Author

dkuku commented Dec 19, 2024

null byte terminates the message but postgres requires it to be certain length:

              postgres: %{
                code: :protocol_violation,
                message: "insufficient data left in message",
                file: "pqformat.c",

@josevalim
Copy link
Member

Yup! It should be null byte safe today. But it is also easy for us to make changes in the future, I don't know, maybe use text for some queries, and then completely forget we assumed we are null byte safe here. :)

@dkuku dkuku closed this Dec 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dkuku @josevalim