Dashboard variable sql injection

Grafana v5.1.2

My question is about dashboard variables of Query type that pull inforamtion from PostgreSQL database.

Once the variable is created, the dashboard will have a drop-down list that allows users to select the value for variable. This value is then used by SQL query to populate the graph on this dashboard.

I discovered that it is possible to type anything into the drop-down field and this user input gets inserted directly into the SQL query that pulls data for graph. For example, assume this is a query:

SELECT value, date as "time" FROM values WHERE value_category = '$Value' ORDER BY id

This allows users to insert anything they want in place of $Value and beyond. And the impact will be only limited by the permissions of the account that is used by the data source to connect to the PostgreSQL server.

This is a flaw on my opinion. This allows users with view privilege to alter the SQL query. This is basically an SQL injection “feature”.

Is there any way to prevent it? For example, create a parameterized SQL query or prohibit end users from typing arbitrary data into variable selection field?

There is Warning in the datasource configuration:

You have to configure permissions on the DB level and/or Grafana organization level. Maybe yiu will sort mentioned “SQL injection” somehow, but users will have option to tamper SQL queries in the browser console or they can query Grafana datasources directly.

1 Like