Handling SQL injection in Grafana URL Queries to Influxdb?

My query is about Grafana dashboard queries from getting the information from Influxdb.

Influxdb suggests using bind parameters in sql queries.

Does Grafana v5.2.1 supports it , or there any plans in future?


1 Like

Not sure what you mean? Grafana sends full queries to InfluxDB from the browser, so there is no way to stop this, this is the main feature of Grafana

The queries themselves are dynamic and sent from the browser so the would be no point in using something like the bind syntax as someone malicious could just modify the request anyway.

There might be some cases where template variables are used that could have use.

@torkel It seems that SQL injection to InfluxDB via Grafana is rather easy (via the api). Somebody can create and delete influx databases using SQL commands. That shouldn’t be the case.
Also a GET /api/org/users HTTP/1.1 lists all the users and emails even if unauthenticated.

HTTP/1.1 200 OK ...

Technical note: InfluxDB doesn’t use SQL, but Influx Query Language (InfluxQL) - it is SQL-like query language, but not a SQL.

That is problem of InfluxDB configuration. You should create dedicated InfluxDB user for Grafana with read only permissions (no write, no admin permissions).

1 Like

Really? Not the case here…

curl -X GET http://localhost:3000/api/org/users

Maybe you have a session cookie set?

I understood what was the problem. I have anonymous access enabled.
However, even in this case anonymous users should not be allowed to retrieve information on other users (e.g. email, user accounts etc.).

Can we not have some feature where url encription can be enabled? So user can not tempare the query param or build param.

1 Like