Lucene search

GitHub Advisory DatabaseGHSA-M7WR-2XF7-CM9P

HistoryMar 04, 2024 - 8:13 p.m.

pgx SQL Injection via Line Comment Creation

2024-03-0420:13:11

CWE-89

GitHub Advisory Database

github.com

sql injection

simple protocol

parameterized query

user-controlled

patches

workarounds

software

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

8.7%

JSON

Impact

SQL injection can occur when all of the following conditions are met:

The non-default simple protocol is used.
A placeholder for a numeric value must be immediately preceded by a minus.
There must be a second placeholder for a string value after the first placeholder; both
must be on the same line.
Both parameter values must be user-controlled.

e.g.

Simple mode must be enabled:

// connection string includes "prefer_simple_protocol=true"
// or
// directly enabled in code
config.ConnConfig.PreferSimpleProtocol = true

Parameterized query:

SELECT * FROM example WHERE result=-$1 OR name=$2;

Parameter values:

$1 => -42
$2 => "foo\n 1 AND 1=0 UNION SELECT * FROM secrets; --"

Resulting query after preparation:

SELECT * FROM example WHERE result=--42 OR name= 'foo
1 AND 1=0 UNION SELECT * FROM secrets; --';

Patches

The problem is resolved in v4.18.2.

Workarounds

Do not use the simple protocol or do not place a minus directly before a placeholder.

CPENameOperatorVersion
github.com/jackc/pgx/v4lt4.18.2
github.com/jackc/pgxlt4.18.2

CPE	Name	Operator	Version
	github.com/jackc/pgx/v4	lt	4.18.2
	github.com/jackc/pgx	lt	4.18.2

References

github.com/advisories/GHSA-m7wr-2xf7-cm9p

github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df

github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p