GeoPandas SQL Injection Vulnerability in to_postgis() Function

A SQL injection vulnerability exists in GeoPandas versions prior to 1.1.2, specifically within the to_postgis() function used to transfer GeoDataFrames to a PostgreSQL database. The vulnerability arises because user inputs, such as table names and geometry column names, are directly concatenated into SQL queries without proper sanitization. This flaw allows attackers to manipulate SQL queries and potentially access or modify sensitive database information.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with database queries. This could lead to unauthorized data access, data modification, or execution of arbitrary SQL commands. In the context of PostgreSQL, such exploitation could also involve executing system commands via PostgreSQL's command execution capabilities.

Reproduction

The vulnerability can be reproduced by creating a GeoDataFrame and using the rename_geometry() method to insert a malicious payload into the geometry column name. When the GeoDataFrame is then written to a PostgreSQL database using the to_postgis() function, the injected SQL command is executed, demonstrating the SQL injection vulnerability.

Remediation

Users can update to GeoPandas version 1.1.2 or later, where this vulnerability has been fixed. The fix involves replacing direct string interpolation in SQL queries with parameterized queries, which safely handle user inputs and prevent SQL injection attacks.