SchemaHero SQL Injection Vulnerability in MySQL Plugin

A SQL injection vulnerability has been identified in SchemaHero version 0.23.0, specifically within the MySQL column handling functions. The issue arises because column names are enclosed in backticks without proper escaping, allowing attackers to inject additional SQL elements. This vulnerability is part of a broader set of SQL injection issues in SchemaHero, including similar default value injection vulnerabilities in both MySQL and PostgreSQL. When the 'immediateDeploy' option is enabled, these malicious injections can be executed automatically, bypassing manual review.

Impact

Exploitation of this vulnerability allows for arbitrary SQL injection through crafted column definitions, which can lead to unauthorized data manipulation or disclosure.

Reproduction

The vulnerability can be reproduced by creating a Table Custom Resource Definition (CRD) in a Kubernetes cluster with SchemaHero installed. After deploying a MySQL database and setting up a connection, a Table CRD can be created that includes injected column names with unescaped backticks. Once applied, the injection can be verified by checking the executed SQL commands in the SchemaHero controller logs, which will show the injection being processed as part of a table creation query. The results can be confirmed by inspecting the database for the injected columns and their effects, such as manipulated default values.

Remediation

To address this vulnerability, it is recommended to escape backticks in MySQL column names before concatenating them into SQL statements. Additionally, users should consider disabling the 'immediateDeploy' feature in SchemaHero, which can be done by setting 'Database.spec.immediateDeploy' to 'false', and to monitor and restrict who can create Table CRDs.