Ormar Pydantic Validation Bypass Vulnerability in Model Constructor

A vulnerability in the Ormar library for Python allows for Pydantic validation to be bypassed in versions through 0.23.0. This issue arises from the model constructor's acceptance of injected parameters that can skip crucial validation checks. Unauthenticated users can exploit this by sending JSON requests that include the '__pk_only__' parameter, which bypasses all field validation and allows unvalidated data to be saved directly to the database. Additionally, the '__excluded__' parameter can be used to nullify specific fields during the model's construction. This vulnerability impacts applications that use Ormar's models with FastAPI, following the integration pattern recommended in the official documentation.

Impact

Exploitation of this vulnerability leads to a complete bypass of Pydantic's validation, allowing for the injection of unvalidated data into the database. This could result in privilege escalation, data integrity violations, and business logic bypass, particularly in applications using Ormar with FastAPI.

Reproduction

To reproduce this vulnerability, create a FastAPI application that uses Ormar models. When a POST request is made to an endpoint that expects an Ormar model, inject the '__pk_only__' parameter set to true. This will bypass all validation for the model fields. Afterward, send a request with the '__excluded__' parameter to nullify specific fields, demonstrating the injection of unvalidated data and the manipulation of model field values.

Remediation

Users are advised to upgrade to Ormar version 0.23.1, where this vulnerability has been fixed. In the updated version, the library no longer allows the injection of '__pk_only__' and '__excluded__' parameters through user-supplied kwargs, preventing the validation bypass and field nullification that could be exploited in previous versions.