go-pg SQL Injection Vulnerability in Query Parameter Handling

A SQL injection vulnerability has been identified in the go-pg PostgreSQL client library, specifically in version 10.13.0. The issue arises in the 'append_value.go' component, where user-controlled input can be injected into SQL queries, potentially allowing for the execution of malicious SQL statements. This vulnerability is particularly concerning when the library is used in 'simple query protocol' mode, where parameters are interpolated into the query string without proper escaping, creating an opportunity for injection attacks.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate SQL queries to execute arbitrary SQL commands, potentially leading to unauthorized data access or modification.

Reproduction

The vulnerability can be reproduced by using the go-pg library in version 10.13.0, with the 'simple query protocol' mode enabled. When a prepared statement is constructed with user-controlled parameters, such as negative numbers or specific string values, the library fails to properly escape the input. This allows the injected data to alter the SQL query's syntax, creating a line comment that can be exploited to execute malicious SQL commands.

Remediation

Users are advised to update to go-pg version 10.14.0 or later, where this vulnerability has been patched.