SchemaHero SQL Injection Vulnerability Allowing Database Integrity Compromise

A SQL injection vulnerability has been identified in SchemaHero version 0.23.0. This vulnerability arises in the PostgreSQL and MySQL plugins when processing column definitions in Table Custom Resource Definitions (CRDs). The issue stems from default values being directly concatenated into SQL statements without proper escaping, allowing for injection attacks. In PostgreSQL, this could lead to the execution of arbitrary functions, while in MySQL, it could allow the injection of additional columns with malicious default values. The vulnerability is automatically exploited when 'Database.spec.immediateDeploy' is set to true, as malicious Table CRDs are executed without manual approval.

Impact

Exploitation of this vulnerability allows attackers to manipulate database table structures, inject arbitrary data through malicious default values, and in the case of PostgreSQL, execute functions that could leak sensitive information.

Reproduction

The vulnerability can be reproduced by creating a Table CRD with default values that include SQL injection payloads. This can be done by setting 'Database.spec.immediateDeploy' to true, which will deploy the CRD without manual approval, thereby executing the injection immediately.

Remediation

Users are advised to update to a version of SchemaHero that addresses this vulnerability. Additionally, 'Database.spec.immediateDeploy' should be set to false to require manual approval for all migrations. Implementing RBAC restrictions to limit who can create Table CRDs and monitoring audit logs for CRD modifications can also help mitigate the risk.