CVE-2024-27289: pgx SQL Injection via Line Comment Creation
(updated )
SQL injection can occur when all of the following conditions are met:
- The non-default simple protocol is used.
- A placeholder for a numeric value must be immediately preceded by a minus.
- There must be a second placeholder for a string value after the first placeholder; both must be on the same line.
- Both parameter values must be user-controlled.
e.g.
Simple mode must be enabled:
// connection string includes "prefer_simple_protocol=true"
// or
// directly enabled in code
config.ConnConfig.PreferSimpleProtocol = true
Parameterized query:
SELECT * FROM example WHERE result=-$1 OR name=$2;
Parameter values:
$1 => -42
$2 => "foo\n 1 AND 1=0 UNION SELECT * FROM secrets; --"
Resulting query after preparation:
SELECT * FROM example WHERE result=--42 OR name= 'foo
1 AND 1=0 UNION SELECT * FROM secrets; --';
References
Code Behaviors & Features
Detect and mitigate CVE-2024-27289 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →