Summary pREST provides a simple way for users to expose access their database via a REST-full API. The project is implemented using the Go programming language and is designed to expose access to Postgres database tables. During an independent review of the project, Doyensec engineers found that SQL injection is a systemic problem in the current implementation (version v2.0.0-rc2). Even though there are several instances of attempts to sanitize user input and mitigate injection attempts, we have found that on most code-paths, the protection is faulty or non-existent. Core Endpoints The main functionality providing REST operations on the data stored in the Postgres database is exposed via the following endpoints: – GET /{database}/{schema}/{table} – POST /{database}/{schema}/{table} – PUT|PATCH /{database}/{schema}/{table} – DELETE /{database}/{schema}/{table} Handlers for the above endpoints execute very similar logic. At a high-level they: 1. Perform authentication and authorization 2. Build the SQL query based on the incoming request 3. Execute the query on the database 4. Return the data to the user The query construction logic uses data from the request (e.g query, body or path parameters) and incorporates them in the SQL query. As an example, let us look at the GET request or the read operation. After completing the authentication and authorization steps, the SelectFromTables function will first compile a list of all columns/fields, that will be returned in the…Read More