SQL injection in sql_api/api_workflow.py endpoint in Archery - GHSL-2022-103

Vulnerability

The Archery SQL audit platform (version 1.9.0) contains a SQL injection vulnerability in the sql_api/api_workflow.py endpoint ExecuteCheck. User input from the db_name parameter is passed unfiltered through the sql/engines/oracle.py execute_check method to the explain_check method, which concatenates it into a SQL query [1]. This allows an attacker to inject arbitrary SQL.

Exploitation

An attacker with network access to the Archery instance and knowledge of a valid database instance name can send a crafted POST request to the ExecuteCheck endpoint, supplying malicious input in the db_name parameter [1]. The input is not sanitized, leading to execution of arbitrary SQL against the connected database.

Impact

Successful exploitation results in information disclosure; the attacker can query the connected databases and retrieve sensitive data [1]. The vulnerability is indexed as GHSL-2022-103.

Mitigation

No patched version has been released. As a workaround, escape the db_name and full_sql parameters using MySQLdb.escape() or use prepared statements with placeholders in cursor.execute() to automatically escape values [1].