Server side template injection In @budibase/server
Description
@budibase/server: Command Injection in PostgreSQL Dump Command
Location: packages/server/src/integrations/postgres.ts:529-531
Description
The PostgreSQL integration constructs shell commands using user-controlled configuration values (database name, host, password, etc.) without proper sanitization. The password and other connection parameters are directly interpolated into a shell command.
Code Reference
const dumpCommand = `PGPASSWORD="${ this.config.password }" pg_dump --schema-only "${dumpCommandParts.join(" ")}"`
Attack Vector
An attacker who can control database configuration values (e.g., through compromised credentials or configuration injection) can inject shell commands. For example:
Password: password"; malicious-command; echo "
Database name: db"; rm -rf /; echo "
Impact
Remote code execution
System compromise
Data exfiltration
Recommendation
Use environment variables for sensitive values instead of command-line arguments
Validate and sanitize all configuration values
Use proper escaping for shell arguments
Consider using a PostgreSQL library's native dump functionality instead of shell commands
Example Fix
import { execFile } from "child_process" import { promisify } from "util" const execFileAsync = promisify(execFile) // Use execFile with proper argument handling const env = { ...process.env, PGPASSWORD: this.config.password...
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 npm | 3.23.32 |
Aliases
References