[CKAN-Security] Datastore sql injection (write access)
Alice Heaton
a.heaton at nhm.ac.uk
Thu Oct 9 14:40:47 UTC 2014
Hello,
I have found an SQL Injection :-) On master - I don't think that code
was in a release yet.
How to reproduce
------------------------
On master, upload this CSV file to the datastore:
The first field, The second field, MIX FIELD,fo;'));CREATE TABLE
breakit(breakit integer);--ürth_field,lat,long
a value, another value, a third value, a fourth value,21,14
A VALUE, can you, parse thüs?, A FOURTH VALUE,-45,45
?,.*,a%b,""why"",88,-11
',"",;,",",61,12
1,2,3,4,0,0
And you will get a new table called 'breakit' ! Only the text on the
first line starting at the single quote and finishing at the double dash
is relevant here; the rest was just me doing various tests.
What happens
-------------------
When uploading the table, field names are validated to ensure that they
don't contain double quotes, since field names are typically escaped
using double quotes. However there is (at least) one context where field
names are enclosed in single, rather than double, quotes: when creating
full text indexes. Specifically when calling to_tsvector('language',
'field_name').
The culprit is _build_fts_indexes in ckanext/datastore/db.py
Vitor: I'm cc-ing you because last time I wrote to security at ckan.org I
didn't get a reply, so I'm not sure anyone actually reads it...
Can you confirm this has been received?
Best Wishes,
Alice Heaton
More information about the Security
mailing list