Security issue raised due to User input present in postgrest response.

[devesh23]

Environment

• PostgreSQL version: (if using docker, specify the image) 10
• PostgREST version: (if using docker, specify the image) 7.0.1
• Operating system: Linux

Description of issue

Request to postgrest:

GET /table2?
select=column1,column2,column3,column4&and=(column3.gte.2020-09-
01%2ccolumn3.lte.2020-09-30)%7cping%20-n%2021%20127.0.0.1%7c%7c%60ping%20-
c%2021%20127.0.0.1%60%20%23'%20%7cping%20-n%2021%20127.0.0.1%7c%7c%60ping%20-
c%2021%20127.0.0.1%60%20%23%5c%22%20%7cping%20-n%2021%20127.0.0.1TESTVALUE HTTP/2
Host: localhost
User-Agent: python-requests/2.27.1
Accept-Encoding: gzip, deflate
Accept: /
Accept-Profile: schema2
Authorization: Bearer

{"content":"CT","canvas_id":null,"parent_id":null,"related_object_pk":null,"related_o
bject_category":null}

(Expected behavior vs actual behavior)

Actual Behaviour:
HTTP/2 200 OK
Date: Wed, 16 Mar 2022 18:01:39 GMT
Content-Type: application/json; charset=utf-8
Server: nginx
Content-Range: /
Content-Location: /table2?and=%28column3.gte.2020-09-
01%2Ccolumn3.lte.2020-09-30%29%7Cping%20-n%2021%20127.0.0.1%7C%7C%60ping%20-
c%2021%20127.0.0.1%60%20%23%27%20%7Cping%20-n%2021%20127.0.0.1%7C%7C%60ping%20-
c%2021%20127.0.0.1%60%20%23%5C%22%20%7Cping%20-
n%2021%20127.0.0.1TESTVALUE&select=date%2Capplication%2Ctime_spent%2Cprocess_uuid
Content-Profile: schema2
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: NOSNIFF
X-Xss-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0
[]

Expected Behaviour:
HTTP/2 200 OK
Date: Wed, 16 Mar 2022 18:01:39 GMT
Content-Type: application/json; charset=utf-8
Server: nginx
Content-Range: /
Content-Location:
Content-Profile: schema2
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: NOSNIFF
X-Xss-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0
[]

[steve-chavez]

If you're using HTTPS then all the headers(querystring too) are encrypted in transit, so I think this shouldn't be a security concern.

The docs also recommend HTTPS through Nginx.

[devesh23]

In our system, Postgrest is set up to be used with HTTPS through Nginx. Still, This was raised as a security concern during a pen test by one of our clients. I agree with your comment that it would be encrypted during transit, and this is not a security concern. But the tester wants us to remove the user input from the response and has raised this as a low severity problem.

[steve-chavez]

I see, in that case I'd suggest removing the header in the proxy. If you're using Nginx, proxy_hide_header would do the job.