Skip to content

Latest commit

 

History

History
97 lines (78 loc) · 7.7 KB

threat-modeling.md

File metadata and controls

97 lines (78 loc) · 7.7 KB

Threat Model Analysis for doctrine/dbal

Threat: SQL Injection via executeQuery() with Unsafe Concatenation

  • Threat: SQL Injection via executeQuery() with Unsafe Concatenation

    • Description: An attacker crafts malicious input that, when directly concatenated into a SQL query string passed to executeQuery(), alters the query's logic. The attacker injects commands to read, modify, or delete data, potentially leading to complete database compromise. This bypasses application logic and security controls through DBAL's direct interface.
    • Impact:
      • Data breach (reading sensitive data).
      • Data modification or deletion.
      • Complete database compromise.
      • Potential for remote code execution (RCE) on the database server (less common, but possible with certain database configurations).
    • Affected DBAL Component: Connection::executeQuery() (when used with raw SQL strings and direct user input concatenation).
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Primary: Never concatenate user input directly into SQL strings. Use parameterized queries with named or positional placeholders. Example: executeQuery('SELECT * FROM users WHERE id = :id', ['id' => $userInput]);
      • Secondary: Implement strict input validation before passing data to DBAL, even with parameterized queries (defense-in-depth).
      • Avoid Raw SQL: Prefer using the Query Builder (createQueryBuilder()) whenever possible.

Threat: SQL Injection via Query Builder Misuse

  • Threat: SQL Injection via Query Builder Misuse

    • Description: Even with the Query Builder, an attacker can inject SQL if user input is directly concatenated into parts of the query builder's methods, such as where(), andWhere(), orWhere(), orderBy(), groupBy(), etc. The attacker manipulates these clauses to alter the query's logic through the DBAL Query Builder API.
    • Impact: Similar to executeQuery() injection: data breach, modification, deletion, or potential database compromise.
    • Affected DBAL Component: QueryBuilder methods (e.g., where(), andWhere(), orderBy(), groupBy(), setParameter(), etc.) when used with direct user input concatenation within the method arguments.
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Primary: Always use setParameter() to bind user input to placeholders within Query Builder clauses. Example: $qb->where('u.id = :id')->setParameter('id', $userInput);
      • Secondary: Input validation as a defense-in-depth measure.

Threat: Data Leakage via Unhandled Exceptions

  • Threat: Data Leakage via Unhandled Exceptions

    • Description: DBAL methods can throw exceptions (e.g., DBALException) that contain sensitive information, such as database schema details, table names, or even parts of the failed query. If these exceptions, originating from DBAL, are not caught and handled properly, and the error message is displayed to the user, it reveals valuable information.
    • Impact:
      • Information disclosure about the database structure.
      • Exposure of potentially sensitive data included in error messages.
      • Facilitates further attacks.
    • Affected DBAL Component: All DBAL methods that can throw exceptions (virtually all methods interacting with the database).
    • Risk Severity: High
    • Mitigation Strategies:
      • Robust Exception Handling: Wrap all DBAL calls in try...catch blocks. Catch DBALException and other relevant exceptions.
      • Generic Error Messages: Never display the raw exception message to the user. Display a generic error message.
      • Secure Logging: Log the full exception details securely.
      • Production Mode: Ensure the application is in "production" mode.

Threat: Denial of Service via Inefficient Queries Executed Through DBAL

  • Threat: Denial of Service via Inefficient Queries Executed Through DBAL

    • Description: An attacker crafts requests that trigger complex, unoptimized, or resource-intensive queries through DBAL. This consumes excessive database resources (CPU, memory, I/O), slowing down or halting the database server, making the application unavailable. This is specifically about queries executed via DBAL's API.
    • Impact:
      • Application unavailability.
      • Performance degradation.
      • Potential database server crash.
    • Affected DBAL Component: All DBAL methods that execute queries (e.g., executeQuery(), fetchAssociative(), fetchAllAssociative(), etc.).
    • Risk Severity: High
    • Mitigation Strategies:
      • Query Optimization: Analyze and optimize all database queries executed through DBAL. Use database profiling tools.
      • Indexing: Ensure proper indexing.
      • Query Timeouts: Set reasonable timeouts for database queries using DBAL's connection configuration options.
      • Pagination: Implement pagination using setMaxResults() and setFirstResult() in the Query Builder.

Threat: Data Tampering via executeUpdate() with Unsafe Data

  • Threat: Data Tampering via executeUpdate() with Unsafe Data

    • Description: Similar to SQL injection with executeQuery(), but focused on data modification using executeUpdate() (or Query Builder methods like update(), insert(), delete()). An attacker provides malicious input that is used directly within these DBAL calls without proper parameterization, allowing unauthorized data modification.
    • Impact:
      • Data corruption.
      • Unauthorized data modification.
      • Bypassing of application logic.
    • Affected DBAL Component: Connection::executeUpdate(), QueryBuilder::update(), QueryBuilder::insert(), QueryBuilder::delete().
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Parameterized Queries: Always use parameterized queries with executeUpdate() and the Query Builder's modification methods. Use setParameter().
      • Input Validation: Implement strict input validation (defense-in-depth).

Threat: Schema Manipulation via Unsafe DDL Operations Through DBAL

  • Threat: Schema Manipulation via Unsafe DDL Operations Through DBAL

    • Description: If the application uses DBAL to execute Data Definition Language (DDL) statements (e.g., CREATE TABLE, ALTER TABLE, DROP TABLE), and these statements are constructed using user input without sanitization within the DBAL calls, an attacker could manipulate the database schema.
    • Impact:
      • Database schema corruption.
      • Data loss.
      • Denial of service.
      • Potential privilege escalation.
    • Affected DBAL Component: Connection::executeStatement() (when used with DDL statements), SchemaManager methods.
    • Risk Severity: High
    • Mitigation Strategies:
      • Avoid User Input in DDL: Never construct DDL statements directly from user input that is passed to DBAL.
      • Least Privilege: The database user should not have DDL permissions unless absolutely necessary.
      • Schema Management Tools: Use tools like Doctrine Migrations.