+ "details": "**Location**: `packages/server/src/integrations/postgres.ts:529-531` \n\n#### Description\nThe PostgreSQL integration constructs shell commands using user-controlled configuration values (database name, host, password, etc.) without proper sanitization. The password and other connection parameters are directly interpolated into a shell command.\n\n#### Code Reference\n```529:531:packages/server/src/integrations/postgres.ts\n const dumpCommand = `PGPASSWORD=\"${\n this.config.password\n }\" pg_dump --schema-only \"${dumpCommandParts.join(\" \")}\"`\n```\n\n#### Attack Vector\nAn attacker who can control database configuration values (e.g., through compromised credentials or configuration injection) can inject shell commands. For example:\n- Password: `password\"; malicious-command; echo \"`\n- Database name: `db\"; rm -rf /; echo \"`\n\n#### Impact\n- Remote code execution\n- System compromise\n- Data exfiltration\n\n#### Recommendation\n1. Use environment variables for sensitive values instead of command-line arguments\n2. Validate and sanitize all configuration values\n3. Use proper escaping for shell arguments\n4. Consider using a PostgreSQL library's native dump functionality instead of shell commands\n\n#### Example Fix\n```typescript\nimport { execFile } from \"child_process\"\nimport { promisify } from \"util\"\nconst execFileAsync = promisify(execFile)\n\n// Use execFile with proper argument handling\nconst env = {\n ...process.env,\n PGPASSWORD: this.config.password\n}\n\nconst args = [\n \"--schema-only\",\n \"--host\", this.config.host,\n \"--port\", this.config.port.toString(),\n \"--username\", this.config.user,\n \"--dbname\", this.config.database\n]\n\ntry {\n const { stdout } = await execFileAsync(\"pg_dump\", args, { env })\n return stdout\n} catch (error) {\n // Handle error\n}\n```",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments