Regarding SQL injection in Ignite H2 database

[Jinny Ramsmark <ji...@defensify.se>]

Hello!

I have a client who has designed an application where the user can input SQL directly in the browser and send it to the application.
The application will then use the H2 database in Ignite to join data taken from a Mongo database for analytical purposes which will then be displayed in the browser (graphs etc).
I have argued that this solution is dangerous as I was able to execute code on the server via the H2 database because of the "SQL injection by design".

As it stands right now their argument is that:

  *   Ignite has been updated to 2.8.1 which makes the user account for H2 not run as SA anymore.
  *   The data that is loaded into the database is meant to be available to the user anyway, so it doesn't matter (although the data is extremely sensitive for anyone not authorized to see it).

In all other cases I would still tell them that SQL injection = bad, but they refuse to rethink the design.

My question is if Ignite and H2 is designed to work like this?
Are there any other risks I can use for my argument or shall I give up and tell them that it's okay?
My instincts tell me that this is an all out bad idea since a database is normally not made to be used like this, since database servers often can do so much more than simply get data.
My current worry is that H2 can do something else that I haven't thought about yet, that can make this design even more dangerous.

Any other perspectives and insights on this would be really helpful.

Kind regards, Jinny

Re: Regarding SQL injection in Ignite H2 database

[Denis Magda <dm...@apache.org>]

The discussion is moved to the security channel. Please don’t respond here.

Denis

On Friday, June 26, 2020, Jinny Ramsmark <ji...@defensify.se> wrote:

> Hello!
>
> I have a client who has designed an application where the user can input
> SQL directly in the browser and send it to the application.
> The application will then use the H2 database in Ignite to join data taken
> from a Mongo database for analytical purposes which will then be displayed
> in the browser (graphs etc).
> I have argued that this solution is dangerous as I was able to execute
> code on the server via the H2 database because of the "SQL injection by
> design".
>
> As it stands right now their argument is that:
>
>    - Ignite has been updated to 2.8.1 which makes the user account for H2
>    not run as SA anymore.
>    - The data that is loaded into the database is meant to be available
>    to the user anyway, so it doesn't matter (although the data is extremely
>    sensitive for anyone not authorized to see it).
>
> In all other cases I would still tell them that SQL injection = bad, but
> they refuse to rethink the design.
>
> My question is if Ignite and H2 is designed to work like this?
> Are there any other risks I can use for my argument or shall I give up and
> tell them that it's okay?
> My instincts tell me that this is an all out bad idea since a database is
> normally not made to be used like this, since database servers often can do
> so much more than simply get data.
> My current worry is that H2 can do something else that I haven't thought
> about yet, that can make this design even more dangerous.
>
> Any other perspectives and insights on this would be really helpful.
>
> Kind regards, Jinny
>
>

-- 
-
Denis