🔴 Critical: SQL Injection vulnerability in MDFAttacher.cs

[jas88]

Summary

SQL injection vulnerability found in MDFAttacher.cs where database names and file paths are interpolated directly into SQL commands without parameterization.

Location

File: Rdmp.Core/DataLoad/Modules/Attachers/MDFAttacher.cs
Lines: 168-177

Vulnerable Code

var cmd = new SqlCommand($@"  CREATE DATABASE {nameTheyWant}   
   ON (FILENAME = '{_locations.AttachMdfPath}'),   
   (FILENAME = '{_locations.AttachLdfPath}')   
   FOR ATTACH;  ", con);

cmd.ExecuteNonQuery();

Risk Assessment

• Severity: Critical
• Attack Vector: If nameTheyWant, AttachMdfPath, or AttachLdfPath can be influenced by user input, SQL injection is possible
• Impact: Arbitrary SQL execution, data exfiltration, privilege escalation

Recommended Fix

Database/object names cannot be parameterized, so use identifier validation:

// Validate database name (alphanumeric + underscore only)
if (!Regex.IsMatch(nameTheyWant, @"^[a-zA-Z_][a-zA-Z0-9_]*$"))
    throw new ArgumentException("Invalid database name");

// Use QUOTENAME for SQL Server identifier escaping
var sql = $@"CREATE DATABASE [{nameTheyWant}]
   ON (FILENAME = @mdfPath),
   (FILENAME = @ldfPath)
   FOR ATTACH;";

using var cmd = new SqlCommand(sql, con);
cmd.Parameters.AddWithValue("@mdfPath", _locations.AttachMdfPath);
cmd.Parameters.AddWithValue("@ldfPath", _locations.AttachLdfPath);

Note: FILENAME in CREATE DATABASE may not accept parameters in all SQL Server versions. If so, validate paths against an allowlist or use path validation.

Additional Instances

Similar patterns may exist in:

• StagingBackfillMutilator.cs
• PrimaryKeyCollisionResolverMutilation.cs

Labels

security, critical