fix(postgres): prevent path traversal attacks in database names

claude[bot] · modelorona · web-flow · commit 6a44779894fb · 2025-06-18T01:30:12.000Z
Add validateDatabase() function to prevent URL-encoded forward slashes 
and path traversal patterns in database names. This blocks the reported 
attack vector %2f..%2f..%2f and other similar injection attempts.

Security improvements:
- Block URL-encoded forward slashes (%2f, %2F)
- Block literal path traversal patterns (../, ..\)
- Block other problematic URL-encoded characters
- Maintain postgresql:// URL format as required

Co-authored-by: Anguel &lt;modelorona@users.noreply.github.com&gt;
diff --git a/core/src/plugins/postgres/db.go b/core/src/plugins/postgres/db.go
@@ -41,6 +41,30 @@ func validateHostname(hostname string) error {
 	return nil
 }
 
+// validateDatabase ensures the database name doesn't contain URL-encoded characters
+// or patterns that could lead to path traversal attacks
+func validateDatabase(database string) error {
+	// Check for URL-encoded forward slashes that could enable path traversal
+	if strings.Contains(database, "%2f") || strings.Contains(database, "%2F") {
+		return fmt.Errorf("invalid database name: contains URL-encoded forward slash")
+	}
+	
+	// Check for literal path traversal patterns
+	if strings.Contains(database, "../") || strings.Contains(database, "..\\") {
+		return fmt.Errorf("invalid database name: contains path traversal pattern")
+	}
+	
+	// Check for other URL-encoded characters that could be problematic
+	problematicEncoded := []string{"%00", "%20", "%22", "%27", "%3B", "%3C", "%3E"}
+	for _, encoded := range problematicEncoded {
+		if strings.Contains(strings.ToLower(database), encoded) {
+			return fmt.Errorf("invalid database name: contains URL-encoded character '%s'", encoded)
+		}
+	}
+	
+	return nil
+}
+
 func (p *PostgresPlugin) DB(config *engine.PluginConfig) (*gorm.DB, error) {
 	connectionInput, err := p.ParseConnectionConfig(config)
 	if err != nil {
@@ -52,6 +76,11 @@ func (p *PostgresPlugin) DB(config *engine.PluginConfig) (*gorm.DB, error) {
 		return nil, err
 	}
 
+	// Validate database name to prevent path traversal attacks
+	if err := validateDatabase(connectionInput.Database); err != nil {
+		return nil, err
+	}
+
 	// Construct PostgreSQL URL securely using url.URL struct
 	u := &url.URL{
 		Scheme: "postgresql",
