Описание
LF Edge eKuiper has a SQL Injection in sqlKvStore
Summary
A user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore.
Details
I will use explainRuleHandler ("/rules/{name}/explain") as an example to illustrate. However, this vulnerability also exists in other methods such as sourceManageHandler, asyncTaskCancelHandler, pluginHandler, etc.
The SQL injection can happen in the code: https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/pkg/store/sql/sqlKv.go#L89-L93 The code to accept user input is: https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/server/rest.go#L274-L277
The rule id in the above code can be used to exploit SQL query.
Note that the delete function is also vulnerable: https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/pkg/store/sql/sqlKv.go#L138-L141
PoC
The screenshot shows the malicious SQL query to insert a value:
The screenshot shows the breakpoint of executing the query:
Impact
SQL Injection vulnerability
The reporters are Yuan Luo, Shuai Xiong, Haoyu Wang from Tencent YunDing Security Lab.
Пакеты
github.com/lf-edge/ekuiper
< 1.14.2
1.14.2
ekuiper
< 1.14.2
1.14.2
Связанные уязвимости
LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices. A user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore. This vulnerability is fixed in 1.14.2.