Shelf SQL Injection Vulnerability in Sort Parameter on Assets Route

A SQL injection vulnerability has been identified in Shelf versions 1.12 prior to 1.20.1. The issue arises in the sortBy query parameter on the /assets route, where authenticated users can execute arbitrary SQL. This exploitation allows access to data from any table in the database, including information from other organizations. The vulnerability is rooted in the parseSortingOptions function, which fails to validate user-supplied input before it is interpolated into a raw SQL ORDER BY clause. As a result, attackers can manipulate the sorting parameter to execute malicious SQL commands.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can execute arbitrary SQL commands. This could lead to unauthorized data access, including sensitive information from other organizations.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to the /assets route with a crafted sortBy parameter that includes SQL injection payloads. The injected SQL will be executed on the database, demonstrating the injection flaw.

Remediation

Users can update to Shelf version 1.20.1 or later, where this vulnerability has been patched. For those using the Docker image, pulling the latest version will also apply the fix.