SQL injection in sql_optimize.py explain method in Archery - GHSL-2022-108

Vulnerability

Archery v1.9.0 contains a SQL injection vulnerability in the explain method of sql_optimize.py. The unsanitized db_name parameter from the /explain/ endpoint is passed directly to the query methods of sql/engines/mssql.py (line 310) and sql/engines/oracle.py (line 640) without any escaping or parameterization [1]. This allows an attacker to inject arbitrary SQL commands into queries executed against the underlying databases.

Exploitation

An attacker must have knowledge of a valid database instance name configured in Archery to target the injection. The attacker sends a crafted db_name value to the explain endpoint, providing malicious SQL that gets concatenated into the query executed by the database engine [1]. No authentication is explicitly required beyond a configured Archery instance, though the endpoint may be exposed to any authenticated user in a typical deployment.

Impact

Successful exploitation leads to information disclosure. The attacker can execute arbitrary SQL queries on the connected MSSQL or Oracle databases, potentially retrieving sensitive data or enumerating database schema [1]. The scope is limited to read operations based on the database engine's configuration and the attacker's knowledge of the instance name.

Mitigation

The vendor recommends escaping the db_name parameter using MySQLdb.escape() or adopting prepared statements with placeholders in cursor.execute() [1]. A fixed version has not been explicitly released in the available references; the advisory suggests these remediation steps for the codebase. Users should apply input sanitization immediately and review the sql_optimize.py file for similar issues.