Notes
- Originally posted as a Security Advisory under duckdb and re-opened here per @Mytherin request.
- Related fix here: #292
Summary
When testing out using Secrets in DuckDB v1.1.3 duckdb/duckdb@1986445 with the postgres extension. I found that the password wasn't redacted in all locations that report back information related to the database.
Details
The following commands/queries will display the unredacted password(s) for the database(s):
- In the command line client (Windows) DOT COMMAND
.databases
CALL duckdb_databases();PRAGMA database_list;
PoC
Note: The CALL duckdb_secrets(); is included to show that the secret is redacted there.
1. Using Temporary Secret
INSTALL postgres;
LOAD postgres;
CREATE SECRET postgres_secret_one(
TYPE POSTGRES,
HOST 'localhost',
PORT 5432,
DATABASE pagila,
USER 'postgres',
PASSWORD 'postgres2023'
);
ATTACH '' AS postgres_db_one (TYPE POSTGRES, SECRET postgres_secret_one);
.databases
CALL duckdb_secrets();
CALL duckdb_databases();
PRAGMA database_list;
2. Using Persistent Secret
INSTALL postgres;
LOAD postgres;
CREATE PERSISTENT SECRET my_persistent_secret (
TYPE POSTGRES,
HOST 'localhost',
PORT 5432,
DATABASE pagila,
USER 'postgres',
PASSWORD 'postgres2023'
);
ATTACH '' AS postgres_db (TYPE POSTGRES, SECRET my_persistent_secret);
.databases
CALL duckdb_secrets();
CALL duckdb_databases();
PRAGMA database_list;
Impact
Anyone that has access to a DuckDB instance which has a Postgres database attached to it can run the commands and observe the password in plain text.
dmcmurchy Reporter
Notes
Summary
When testing out using Secrets in DuckDB v1.1.3 duckdb/duckdb@1986445 with the postgres extension. I found that the password wasn't redacted in all locations that report back information related to the database.
Details
The following commands/queries will display the unredacted password(s) for the database(s):
.databasesCALL duckdb_databases();PRAGMA database_list;PoC
Note: The
CALL duckdb_secrets();is included to show that the secret is redacted there.1. Using Temporary Secret
INSTALL postgres; LOAD postgres; CREATE SECRET postgres_secret_one( TYPE POSTGRES, HOST 'localhost', PORT 5432, DATABASE pagila, USER 'postgres', PASSWORD 'postgres2023' ); ATTACH '' AS postgres_db_one (TYPE POSTGRES, SECRET postgres_secret_one); .databases CALL duckdb_secrets(); CALL duckdb_databases(); PRAGMA database_list;2. Using Persistent Secret
INSTALL postgres; LOAD postgres; CREATE PERSISTENT SECRET my_persistent_secret ( TYPE POSTGRES, HOST 'localhost', PORT 5432, DATABASE pagila, USER 'postgres', PASSWORD 'postgres2023' ); ATTACH '' AS postgres_db (TYPE POSTGRES, SECRET my_persistent_secret); .databases CALL duckdb_secrets(); CALL duckdb_databases(); PRAGMA database_list;Impact
Anyone that has access to a DuckDB instance which has a Postgres database attached to it can run the commands and observe the password in plain text.