Apache Superset SQL注入绕过技术分析<\/h1>

1. 漏洞背景<\/h2>
Apache Superset是一个开源的数据探索和可视化平台，允许用户通过Web界面创建图表和仪表板，无需编写复杂SQL查询。在版本4.0.1中，存在一个安全机制绕过漏洞，允许攻击者执行任意SQL查询，绕过平台的安全限制。<\/p>

2. 漏洞发现过程<\/h2>

2.1 初始发现<\/h3>

在安全审计过程中，发现可以通过以下API路径与Superset交互：<\/p>

\/superset\/explore_json\/<\/code><\/li>

\/api\/v1\/chart\/data<\/code><\/li>
<\/ul>
2.2 安全机制分析<\/h3>
Superset正常允许执行SQL查询，但实施了安全机制阻止任意SQL请求的执行。通过代码审计发现关键限制逻辑。<\/p>
3. 代码分析<\/h2>
3.1 关键函数：validate_adhoc_subquery()<\/h3>
位于superset\/models\/helpers.py<\/code>，主要功能是检查SQL是否包含子查询或嵌套子查询。<\/p>
def<\/span> validate_adhoc_subquery<\/span>(
<\/span><\/span>    sql: str,
<\/span><\/span>    database_id: int,
<\/span><\/span>    default_schema: str,
<\/span><\/span>) -><\/span> str:
<\/span><\/span>    """
<\/span><\/span><\/span>    检查adhoc SQL是否包含子查询或带有表的嵌套子查询
<\/span><\/span><\/span>    """<\/span>
<\/span><\/span>    statements =<\/span> []
<\/span><\/span>    for<\/span> statement in<\/span> sqlparse.<\/span>parse(sql):
<\/span><\/span>        if<\/span> has_table_query(statement):
<\/span><\/span>            if<\/span> not<\/span> is_feature_enabled("ALLOW_ADHOC_SUBQUERY"<\/span>):
<\/span><\/span>                raise<\/span> SupersetSecurityException(
<\/span><\/span>                    SupersetError(
<\/span><\/span>                        error_type=<\/span>SupersetErrorType.<\/span>ADHOC_SUBQUERY_NOT_ALLOWED_ERROR,
<\/span><\/span>                        message=<\/span>_("Custom SQL fields cannot contain sub-queries."<\/span>),
<\/span><\/span>                        level=<\/span>ErrorLevel.<\/span>ERROR,
<\/span><\/span>                    )
<\/span><\/span>                )
<\/span><\/span>        statement =<\/span> insert_rls_in_predicate(statement, database_id, default_schema)
<\/span><\/span>        statements.<\/span>append(statement)
<\/span><\/span>    return<\/span> ";<\/span>\n<\/span>"<\/span>.<\/span>join(str(statement) for<\/span> statement in<\/span> statements)
<\/span><\/span><\/code><\/pre>3.2 子查询检测函数：has_table_query()<\/h3>
位于superset\/sql_parse.py<\/code>，使用sqlparse库解析SQL查询：<\/p>
def<\/span> has_table_query<\/span>(token_list: TokenList) -><\/span> bool:
<\/span><\/span>    """
<\/span><\/span><\/span>    检查语句是否有从表读取的查询
<\/span><\/span><\/span>    """<\/span>
<\/span><\/span>    state =<\/span> InsertRLSState.<\/span>SCANNING
<\/span><\/span>    for<\/span> token in<\/span> token_list.<\/span>tokens:
<\/span><\/span>        # 忽略注释<\/span>
<\/span><\/span>        if<\/span> isinstance(token, sqlparse.<\/span>sql.<\/span>Comment):
<\/span><\/span>            continue<\/span>
<\/span><\/span>        # 递归检查子token列表<\/span>
<\/span><\/span>        if<\/span> isinstance(token, TokenList) and<\/span> has_table_query(token):
<\/span><\/span>            return<\/span> True<\/span>
<\/span><\/span>        # 发现源关键字(FROM\/JOIN)<\/span>
<\/span><\/span>        if<\/span> imt(token, m=<\/span>[(Keyword, "FROM"<\/span>), (Keyword, "JOIN"<\/span>)]):
<\/span><\/span>            state =<\/span> InsertRLSState.<\/span>SEEN_SOURCE
<\/span><\/span>        # 在FROM\/JOIN后发现标识符\/关键字<\/span>
<\/span><\/span>        elif<\/span> state ==<\/span> InsertRLSState.<\/span>SEEN_SOURCE and<\/span> (
<\/span><\/span>            isinstance(token, sqlparse.<\/span>sql.<\/span>Identifier) or<\/span> token.<\/span>ttype ==<\/span> Keyword
<\/span><\/span>        ):
<\/span><\/span>            return<\/span> True<\/span>
<\/span><\/span>        # 未发现任何内容，离开源<\/span>
<\/span><\/span>        elif<\/span> state ==<\/span> InsertRLSState.<\/span>SEEN_SOURCE and<\/span> token.<\/span>ttype !=<\/span> Whitespace:
<\/span><\/span>            state =<\/span> InsertRLSState.<\/span>SCANNING
<\/span><\/span>    return<\/span> False<\/span>
<\/span><\/span><\/code><\/pre>4. 漏洞利用技术<\/h2>
4.1 PostgreSQL XML函数绕过<\/h3>
通过研究发现PostgreSQL提供以下XML相关函数可以绕过安全检测：<\/p>


query_to_xml(query text, nulls boolean, tableforest boolean, targetns text)<\/code><\/p>

将关系表内容映射为XML值<\/li>
<\/ul>
<\/li>

query_to_xml_and_xmlschema(query text, nulls boolean, tableforest boolean, targetns text)<\/code><\/p>

生成XML数据映射及其对应的XML Schema<\/li>
<\/ul>
<\/li>

table_to_xml(tbl regclass, nulls boolean, tableforest boolean, targetns text)<\/code><\/p>

将指定表内容映射为XML值<\/li>
<\/ul>
<\/li>

table_to_xml_and_xmlschema(tbl regclass, nulls boolean, tableforest boolean, targetns text)<\/code><\/p>

生成表内容的XML映射和Schema<\/li>
<\/ul>
<\/li>

database_to_xml(nulls boolean, tableforest boolean, targetns text)<\/code><\/p>

生成整个数据库的XML映射<\/li>
<\/ul>
<\/li>
<\/ol>
4.2 绕过原理<\/h3>
这些函数接受字符串参数作为SQL查询执行，但在解析过程中：<\/p>

恶意查询被视为字符串(函数参数)<\/li>
被"标记化"为字符串而非SQL语句<\/li>
has_table_query<\/code>函数无法检测到注入<\/li>
<\/ul>
5. 漏洞复现步骤<\/h2>

搭建测试环境：<\/li>
<\/ol>
git clone https:\/\/github.com\/apache\/superset
<\/span><\/span>cd superset
<\/span><\/span>docker compose -f docker-compose-image-tag.yml up
<\/span><\/span><\/code><\/pre>

构造恶意请求，使用PostgreSQL XML函数包装SQL查询<\/p>
<\/li>

通过API端点发送请求：<\/p>

\/superset\/explore_json\/<\/code><\/li>
\/api\/v1\/chart\/data<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
6. 防御建议<\/h2>


升级到最新版本Apache Superset<\/p>
<\/li>

加强输入验证：<\/p>

对XML函数调用进行限制<\/li>
扩展SQL解析逻辑<\/li>
<\/ul>
<\/li>

实施最小权限原则：<\/p>

数据库用户只授予必要权限<\/li>
限制敏感表的访问<\/li>
<\/ul>
<\/li>

启用审计日志：<\/p>

记录所有SQL查询<\/li>
监控异常查询模式<\/li>
<\/ul>
<\/li>
<\/ol>
7. 总结<\/h2>
该漏洞展示了即使成熟的数据平台也可能存在安全机制绕过风险。通过：<\/p>

深入代码审计发现安全限制逻辑<\/li>
研究数据库文档找到特殊函数<\/li>
利用函数参数特性绕过标记化检测<\/li>
<\/ol>
强调了持续安全审计和及时漏洞修复的重要性。<\/p>

Apache Superset SQL注入绕过技术分析<\/h1>

2. 漏洞发现过程<\/h2>

2.2 安全机制分析<\/h3> Superset正常允许执行SQL查询，但实施了安全机制阻止任意SQL请求的执行。通过代码审计发现关键限制逻辑。<\/p>

3. 代码分析<\/h2>

4. 漏洞利用技术<\/h2>

2.2 安全机制分析<\/h3>
Superset正常允许执行SQL查询，但实施了安全机制阻止任意SQL请求的执行。通过代码审计发现关键限制逻辑。<\/p>