Elixir Postgrex SQL Injection Vulnerability in Notifications Module

A SQL injection vulnerability has been identified in the Elixir Postgrex library, specifically within the Notifications module. This issue arises because the channel argument in the listen and unlisten functions is directly inserted into SQL statements without proper escaping. An attacker can exploit this by injecting a quote to escape the identifier and append arbitrary SQL commands. The vulnerability is present in versions 0.16.0 prior to 0.22.2.

Impact

Exploitation of this vulnerability allows for SQL injection on the notifications connection, executing arbitrary SQL commands as the application's database role. This could lead to unauthorized data access, modification, or deletion.

Reproduction

To reproduce this vulnerability, call the 'Postgrex.Notifications.listen/3' or 'Postgrex.Notifications.unlisten/3' functions with a channel name that includes untrusted user input. The injected input should include a quote to break out of the SQL statement's quoted identifier, allowing the addition of malicious SQL commands. After injecting the SQL, the 'Postgrex.Notifications.handle_connect/1' function can be used to replay the LISTEN commands, demonstrating the vulnerability's persistence across connections.

Remediation

Upgrade to Postgrex version 0.22.2 or later. If upgrading is not possible, sanitize channel names to remove quotes and null bytes before passing them to the listen or unlisten functions.