[CKAN-Security] SQL Injection reported

Adrià Mercader adria.mercader at okfn.org
Wed Jan 14 12:12:27 UTC 2015


Hi Alice,

Hope you and the rest of the NHM team are well.

A while ago you reported an SQL injection to security at ckan.org (see
below). We trust this has now been fixed on master, but if you could
have a quick check that would be great.

Thanks a lot!

Adrià

----


I have found an SQL Injection :-) On master - I don't think that code
was in a release yet.

How to reproduce

On master, upload this CSV file to the datastore:

The first field, The second field, MIX FIELD,fo;'));CREATE TABLE
breakit(breakit integer);--ürth_field,lat,long
a value, another value, a third value, a fourth value,21,14
A VALUE, can you, parse thüs?, A FOURTH VALUE,-45,45
?,.*,a%b,""why"",88,-11
',"",;,",",61,12
1,2,3,4,0,0

And you will get a new table called 'breakit' ! Only the text on the
first line starting at the single quote and finishing at the double
dash is relevant here; the rest was just me doing various tests.

What happens

When uploading the table, field names are validated to ensure that
they don't contain double quotes, since field names are typically
escaped using double quotes. However there is (at least) one context
where field names are enclosed in single, rather than double, quotes:
when creating full text indexes. Specifically when calling
to_tsvector('language', 'field_name').

The culprit is _build_fts_indexes in ckanext/datastore/db.py


More information about the Security mailing list