Hi Team,
We are suing grafana with sqlite. When our project went for pentest. they can easy inject sql queries using the session id. How we can avoid this?
I don’t think you can. Grafana’s SQL datasources allow arbitrary queries to be run, and the general advice is to ensure that user permissions (for the role used by the datasource) are set in a way that prevents malicious/undesirable operations. But since SQLite doesn’t have the concept of user roles or permissions…I’m not sure there’s much you could do to prevent a user with a valid session from running arbitrary queries.
You could either run it as a Postgres/MySQL database, or write a simple API wrapper that allows only “valid” queries to be run?
Caveat: I’m not actually familiar with the SQLite plugin itself, but I suspect I’m not far off.
3 Likes