Skip to content

fix(databases-on-aws): block psql meta-commands in psql-connect.sh --command#232

Open
anwesham-lab wants to merge 2 commits into
awslabs:mainfrom
anwesham-lab:connect-security
Open

fix(databases-on-aws): block psql meta-commands in psql-connect.sh --command#232
anwesham-lab wants to merge 2 commits into
awslabs:mainfrom
anwesham-lab:connect-security

Conversation

@anwesham-lab

@anwesham-lab anwesham-lab commented Jul 13, 2026

Copy link
Copy Markdown
Member

Harden the --command sanitizer in psql-connect.sh so it rejects psql client meta-commands, closing a client-side command-execution path.

Related

N/A

Changes

The --command sanitizer in plugins/databases-on-aws/scripts/psql-connect.sh stripped single-quoted string literals and rejected statement separators (;) and SQL comments (--, /*), but did not check for a leading backslash. psql dispatches meta-commands on a backslash — \! runs a local shell command, and \copy/\i/\o perform client-side file read/write — so a --command value beginning with \! passed the SQL checks and psql executed it locally, with no database privilege required.

This change rejects psql meta-commands before the SQL checks: it strips single-quoted literals (a backslash inside a literal is data, not a meta-command), then rejects any remaining backslash. This blocks the entire meta-command class (\!, \copy, \i, \o, \set) while still allowing SELECT/INSERT/UPDATE/DDL/EXPLAIN, consistent with the allowlist already applied to --ai-model.

Verified: meta-command payloads (\! sh -c ..., \copy ... TO PROGRAM, \i, \o) are blocked; normal SELECT/INSERT/UPDATE are allowed; pre-existing multi-statement (;) and comment (--, /*) blocks remain intact.

Acknowledgment

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the project license.

…command

The --command sanitizer stripped single-quoted string literals and then
rejected statement separators (;) and SQL comments (--, /*), but never
checked for a leading backslash. psql dispatches meta-commands on a
backslash, and \! runs a local shell command — so a --command value
beginning with \! (or \copy, \i, \o, \set) passed both SQL checks and
psql executed it as a client-side OS command / file read-write, with no
database privilege required.

Reject psql meta-commands before the SQL checks: strip single-quoted
literals (a backslash inside a literal is data, not a meta-command), then
reject any remaining backslash. This blocks the entire meta-command class
while still allowing SELECT/INSERT/UPDATE/DDL/EXPLAIN, consistent with the
allowlist already applied to --ai-model.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
spencercorwin
spencercorwin previously approved these changes Jul 13, 2026
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

@pkale pkale left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants