Connection String Parameter Pollution

kotlin.connection_string_parameter_pollution

Severity

critical

Resource

Resource Management

Language

Kotlin

Description

External control of connection string.

Rationale

Database connectivity typically involves constructing a connection string – a snippet of text encoding the details of the connection to the database, such as hostname, database name, and credentials.

When user input is improperly included in a connection string, it can lead to parameter pollution. This means that the attacker can inject additional parameters or override existing ones, potentially accessing databases they shouldn’t or altering their privileges.

Vulnerable practice in Kotlin might involve concatenating user input directly into a connection string, as shown below:

import java.sql.Connection
import java.sql.DriverManager
import java.sql.SQLException

fun main() {
    val userInput = "someuser" // Assume this comes from an untrusted source
    val password = "somepassword" // Assume this comes from an untrusted source

    val connectionString = "jdbc:mysql://localhost:3306/mydatabase?user=$userInput&password=$password"

    try {
        DriverManager.getConnection(connectionString).use { conn ->
            // Do something with the connection
        }
    } catch (e: SQLException) {
        e.printStackTrace()
    }
}

In this example, the userInput and password inputs are directly embedded into the connection string. If an attacker is able to inject malicious content into either of these fields, they could manipulate the connection string to access arbitrary databases or alter security settings.

Remediation

Mitigating connection string parameter pollution involves several key practices:

Use Parameter Objects: Avoid concatenating user input into connection strings. Instead, use APIs or configurations that separate parameters from the connection logic.
Validate and Sanitize User Input: If user input must be incorporated into the connection process, ensure it is strictly validated and sanitized according to expected patterns.
Environment Configuration: Use environment variables or configuration files to manage sensitive credential information away from user modification capabilities.

Configuration

The detector has the following configurable parameters:

sources, that indicates the source kinds to check.
neutralizations, that indicates the neutralization kinds to check.

Unless you need to change the default behavior, you typically do not need to configure this detector.

References

CWE-15 : External Control of System or Configuration Setting.
Connection String Parameter Pollution Attacks, by C. Alonso, Blackhat DC 2010.
OWASP Top 10 2021 - A03 : Injection.