Closed Araq closed 3 years ago
This fix would require a rewrite of a db_postgres module and postgre doesn't care about working with binary zeros. See https://www.commandprompt.com/blog/null-characters-workarounds-arent-good-enough/
If you simply pass data to your database without validation... Good luck.
Vulnerability
Escaping a decoded url param
%00
in a query generated withdb_postgres
fails with Postgresql error code:unterminated quoted string at or near "'"
.Affected module:
Why should this be treated as a vulnerability
Jester accepts POST requests and makes the params available to the end-user. If the end-user uses the params in a SQL-query and with
execAffectedRows()
Postgresql will error out.Jester is an accepted Nimble-packages by core-Nim, and end-users should therefore be protected from injection'ish problems. In worst case scenario this could be used as a DOS-tool were the POST is repeated and the server crashes.
Setup: 1) Setup a connection to a Postgres DB, provide a POST-route with jester TABLE
JESTER:
2) Make a forced POST, e.g. with OWASP.
HEADER:
BODY:
Mitigations: Instead of
execAffectedRowsSafe()
thetryExec()
could be used to catch the error, but that stops the main purpose ofexecAffectedRowsSafe()
.