VDB
EN
HIGH

GHSA-vwjc-v7x7-cm6g

ArcadeDB: Scripting authorization gate (GHSA-48qw) bypassed via SQL DEFINE FUNCTION ... LANGUAGE js

상세

The GHSA-48qw-824m-86pr hardening added a checkPermissionsOnDatabase(UPDATE_SECURITY) gate on the polyglot engine (PolyglotQueryEngine.java:112-114,126,176,199), but only there. The SQL route to JavaScript never touches it: DefineFunctionStatement.executeSimple (DefineFunctionStatement.java:37-100), LocalSchema.registerFunctionLibrary, and SQLQueryEngine library-function invocation (SQLQueryEngine.java:198-224) do no scripting-permission check.

Exploit: any user authorized for the DB (including a read-only role) runs POST /api/v1/command/<db> {"language":"sql","command":"DEFINE FUNCTION x.run \"<js>\" LANGUAGE js"} then SELECT x.run(), executing arbitrary JavaScript and defeating the control meant to restrict scripting to security admins. On this path allowedPackages is empty so Java.type host lookup and reflection are blocked, but IOAccess.ALL still permits load(url) SSRF/remote-JS inclusion and unbounded CPU/memory DoS.

Fix: gate DefineFunctionStatement.executeSimple, the SQLQueryEngine library-function wrapper (to also cover pre-existing libraries), and DeleteFunctionStatement with UPDATE_SECURITY for js/polyglot languages. Centralize as one assertCanExecuteUserCode(database) invoked by every code-execution surface. Also set IOAccess.NONE / PolyglotAccess.NONE on the Context (GraalPolyglotEngine.java:86,91).

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

Maven / com.arcadedb:arcadedb-engine
최초 영향 버전: 0 수정 버전: 26.7.2
수정 # pom.xml: bump <version>26.7.2</version> for com.arcadedb:arcadedb-engine

참고