Location: packages/server/src/integrations/postgres.ts:529-531

Description

The PostgreSQL integration constructs shell commands using user-controlled configuration values (database name, host, password, etc.) without proper sanitization. The password and other connection parameters are directly interpolated into a shell command.

Code Reference

    const dumpCommand = `PGPASSWORD="${
      this.config.password
    }" pg_dump --schema-only "${dumpCommandParts.join(" ")}"`

Attack Vector

An attacker who can control database configuration values (e.g., through compromised credentials or configuration injection) can inject shell commands. For example:

• Password: password"; malicious-command; echo "
• Database name: db"; rm -rf /; echo "

Impact

• Remote code execution
• System compromise
• Data exfiltration

Recommendation

1. Use environment variables for sensitive values instead of command-line arguments
2. Validate and sanitize all configuration values
3. Use proper escaping for shell arguments
4. Consider using a PostgreSQL library's native dump functionality instead of shell commands

Example Fix

import { execFile } from "child_process"
import { promisify } from "util"
const execFileAsync = promisify(execFile)

// Use execFile with proper argument handling
const env = {
  ...process.env,
  PGPASSWORD: this.config.password
}

const args = [
  "--schema-only",
  "--host", this.config.host,
  "--port", this.config.port.toString(),
  "--username", this.config.user,
  "--dbname", this.config.database
]

try {
  const { stdout } = await execFileAsync("pg_dump", args, { env })
  return stdout
} catch (error) {
  // Handle error
}