Dataease SQL Injection Vulnerability in SqlparserUtils Component

A SQL injection vulnerability has been identified in Dataease version 2.10.20. The issue arises in the SqlparserUtils.transFilter function within the Data Dashboard component. This vulnerability allows for remote exploitation by injecting malicious SQL through unvalidated user input, particularly in the handling of SQL variables in dashboard queries.

Impact

Exploitation of this vulnerability allows for arbitrary SQL injection, with the potential to read sensitive data from the database. Additionally, if the database user has high privileges, there could be risks of data manipulation, such as dropping tables or writing web shells. The vulnerability also opens a pathway for remote code execution on the server by uploading a malicious JDBC driver JAR, according to the proof of concept available on the GitHub repository.

Reproduction

The vulnerability can be reproduced by creating a SQL dataset in Dataease that includes a variable placeholder. When a dashboard user sends a request that includes a crafted filter value, the transFilter function will return the unmodified user input. This input is then directly inserted into the SQL query without proper sanitization, allowing for SQL injection. After the injection is executed, the injected SQL can be used to extract data, such as passwords, from the database.

Remediation

To address this vulnerability, Dataease should implement strong type validation for SQL variables, ensuring that values are correctly formatted and do not include harmful characters. Additionally, the application should use parameterized queries to prevent SQL injection, restrict the upload of JDBC driver JARs to a whitelist of trusted drivers, and require signature verification for uploaded JARs.