Description

SQL injection exists in the camptocamp/terraboard.

Among all APIs there is an API routed to /api/search/attribute, whose corresponding method is api.SearchAttribute. In the api.SearchAttribute method, the program takes the request parameters and passes them into the db.SearchAttribute method. In the db.SearchAttribute method, when the request parameter tf_version or lineage_value is set, the program executes up to line 373 or 377. In these two lines, the program is dynamically splicing strings, which may lead to SQL injection.

As an example, part of the code on line 373 is as follows.

fmt.Sprintf("states.tf_version LIKE '%s'", fmt.Sprintf("%%%s%%", v))

where the variable v is the request parameter tf_version, which is user controllable. When the variable v is the following string.

v := "' OR pg_sleep(10) OR states.tf_version LIKE '%"

The sql statement will then change to "states.tf_version LIKE '%' OR pg_sleep(10) OR states.tf_version LIKE '%%'", This will cause pgsql to execute the pg_sleepfunction. Replacing pg_sleep with another statement will lead to more serious consequences.

Proof of Concept

Try executing the following curl command which should have the effect of the request taking 10 seconds to get a response. Where $DEMO_URL is the address and port of the APP.

curl "http://${DEMO_URL}/api/search/attribute?tf_version='+OR+pg_sleep(10)+OR+states.tf_version+LIKE+'%"