Multiple SQL injections in sql_api/api_workflow.py endpoint in Archery - GHSL-2022-102

Vulnerability

Archery v1.9.0 contains multiple SQL injection vulnerabilities in the sql_api/api_workflow.py endpoint ExecuteCheck. User input from the db_name and full_sql parameters is unsafely concatenated into SQL queries in the execute_check methods of sql/engines/clickhouse.py, sql/engines/goinception.py, and sql/engines/oracle.py. These methods pass the concatenated input to the respective query methods, leading to SQL injection. The vulnerable code paths are described in [1].

Exploitation

An attacker must have knowledge of the database instance name defined in Archery. They can then send a crafted POST request to the ExecuteCheck endpoint with malicious values in the db_name and full_sql parameters. The unsanitized input is executed as part of SQL queries against the connected databases, allowing the attacker to retrieve or manipulate data [1].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL queries on the connected databases. This leads to unauthorized disclosure of database contents, data modification, or potential privilege escalation depending on database permissions [1]. The attack compromises the confidentiality and integrity of the database systems managed by Archery.

Mitigation

As of the advisory publication, no patched version has been released. Mitigation requires sanitizing user input by escaping variables or using prepared statements in the affected methods (execute_check in clickhouse.py, goinception.py, and oracle.py). Users should apply input validation and restrict network access to the Archery instance until an official fix is available [1].