Security: SQL injection vulnerability in Database query tool - stacked query bypass #4
Description
Description
The Database.php component's isReadOnlyQuery() method can be bypassed using SQL comment injection.
Location
- File:
src/View/Modal/Admin/Database.php - Lines: 134-150
Issue
The current implementation only checks the first word of the query and looks for semicolons:
protected function isReadOnlyQuery(string $query): bool
{
$firstWord = strtoupper(strtok($query, ' '));
if (! in_array($firstWord, self::ALLOWED_STATEMENTS, true)) {
return false;
}
// Block stacked queries
if (preg_match('/;\s*\S/', $query)) {
return false;
}
return true;
}This can be bypassed with:
SELECT 1; -- DROP TABLE users(semicolon at end not caught)SELECT * INTO OUTFILE '/tmp/data.txt' FROM users(data exfiltration)SELECT * FROM users WHERE 1=1 UNION SELECT password FROM users(data enumeration)
Recommendation
- Use parameterized queries with a query parser or use a read-only database connection
- Block dangerous keywords like
INTO OUTFILE,INTO DUMPFILE,LOAD_FILE - Consider using a database replica configured as read-only
- Add query logging with alerting for suspicious patterns
Severity
High - Could allow data exfiltration or manipulation if bypassed