Postgrest: Audit for SQL injections

Created on 25 Sep 2015  路  3Comments  路  Source: PostgREST/postgrest

All user input should be going through either pgFmtIdent or pgFmtLit. These functions were tested with QuickCheck to ensure they act like the build in postgres format command, but it would be smart to use deliberately malicious strings rather than gibberish. (The official postgres escaping code is available to browse for comparison.)

Ideally we can create a new feature test file like InjectionSpec.hs and fill it with lots of evil attempts. For good measure we should try a vulnerability scanner as well.

hygiene security

Most helpful comment

This audit was pretty long ago, we should do it again and add it to CI. In particular might want to include a check that headers and jwt claims cannot create an injection.

Talked with @elimisteve tonight who brought this up.

All 3 comments

I tried running this

python sqlmap.py -u 'http://localhost:3000/projects?name=eq.*' --dbms=PostgreSQL --level=5 --risk=3 -f --banner --dbs -v 1
python sqlmap.py -u 'http://localhost:3000/projects?name=eq.OSX' --dbms=PostgreSQL --level=5 --risk=3 -f --banner --dbs -v 1

So far so good

Whenever someone is trying a tool like this he is bound to get a lot of 400 bad request back.
The new documentation cookbook should contain a few examples how to rate-limit/block bad actors using nginx/firewall.
Maybe make it a sample nginx config file with lots of options/feature that can be used in "nginx in front of postgrest" configuration.

This audit was pretty long ago, we should do it again and add it to CI. In particular might want to include a check that headers and jwt claims cannot create an injection.

Talked with @elimisteve tonight who brought this up.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

msalvadores picture msalvadores  路  4Comments

NickEmpetvee picture NickEmpetvee  路  4Comments

begriffs picture begriffs  路  4Comments

priyank-purohit picture priyank-purohit  路  3Comments

rvernica picture rvernica  路  4Comments