search

lyft / presto-gateway

A load balancer / proxy / gateway for prestodb
Apache License 2.0
358 stars 156 forks source link

com.h2database:h2 XML External Entity (XXE) Injection #157

Open chickenPopcorn opened 3 years ago

chickenPopcorn commented 3 years ago

We put the project through Snyk, and it reported a vulnerability. Can we take a look at it?

Introduced through
com.h2database:h2@1.4.197 and org.javalite:activejdbc@2.5-j8
Exploit maturity: PROOF OF CONCEPT

Detailed paths
Introduced through: com.lyft.data:gateway-ha@1.8.6 › com.h2database:h2@1.4.197
Fix: No remediation path available.
Introduced through: com.lyft.data:gateway-ha@1.8.6 › org.javalite:activejdbc@2.5-j8 › com.h2database:h2@1.4.197
Fix: No remediation path available.
Overview
com.h2database:h2 is a database engine

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.
endoplasmicR commented 2 years ago

It seems suggesting a SQL injection vulnerability, but the message is not very clear. it would be useful to elaborate more on the location of the getSQLXML() call