Bug: ebean-test-containers has two serious injection vulnerabilities #131
Description
Vuln 1: Db2 has a command injection vulnerability when creating and deleting databases
In Db2Container, the createDatabase and dropCreateDatabase methods construct shell commands by directly concatenating user-controllable parameters—such as username, password, createOptions, configOptions, and dbName—into the command string using the + operator, without any validation, sanitization, or escaping. These commands are then executed via the dockerSu method, which invokes the shell with the -c option. This unsafe string concatenation enables arbitrary command injection.
Furthermore, both vulnerable methods can be triggered externally through the startWithCreate, startWithDropCreate, and start methods, increasing the attack surface and allowing an attacker to exploit the vulnerability during container initialization.
Vuln 2: Unsanitized dbName injection in JDBC URL construction
The dbName attribute is a user-controlled string that is neither validated nor sanitized, and is directly concatenated into the JDBC connection URL. In classes such as MySqlContainer and PostgresContainer, this can lead to vulnerabilities—including arbitrary file read, deserialization of untrusted data, and remote command execution—due to the interpretation of maliciously crafted connection parameters by the underlying JDBC drivers.
