In this explainer article I will discuss two critical vulnerabilities identified in the Mastra AI framework’s template repositories: an Improper Access Control vulnerability in the template-text-to-sql code repository and a Server-Side Request Forgery (SSRF) vulnerability in the template-pdf-questions code repository. These vulnerabilities pose significant risks to the security and integrity of applications built using these templates.
I will provide a detailed analysis of each vulnerability, demonstrate how they can be exploited, and offer recommendations for mitigation. This advisory aims to raise awareness among developers about the importance of securing AI-powered applications and to commend Mastra AI for their proactive response in addressing these issues.
template-text-to-sqlThe template-text-to-sql project is designed to facilitate natural language to SQL conversion, featuring PostgreSQL schema analysis and AI-powered query generation. However, the project fails to enforce a true “read-only” mode, leaving it vulnerable to abuse and attacks on the PostgreSQL database server.
The vulnerability lies in the sqlExecutionTool function, which attempts to enforce a “read-only” mode by checking if the query string starts with “SELECT”. This naive approach is insufficient, as it does not account for SQL queries that can cause side effects through internal function calls.
export const sqlExecutionTool = createTool({
id: 'sql-execution',
inputSchema: z.object({
connectionString: z.string().describe('PostgreSQL connection string'),
query: z.string().describe('SQL query to execute'),
}),
description: 'Executes SQL queries against a PostgreSQL database',
execute: async ({ context: { connectionString, query } }) => {
const client = createDatabaseConnection(connectionString);
try {
console.log('🔌 Connecting to PostgreSQL for query execution...');
await client.connect();
console.log('✅ Connected to PostgreSQL for query execution');
const trimmedQuery = query.trim().toLowerCase();
if (!trimmedQuery.startsWith('select')) {
throw new Error('Only SELECT queries are allowed for security reasons');
}
const result = await executeQuery(client, query);
Attackers can exploit this vulnerability by executing queries that appear to be “read-only” but actually perform harmful operations. For example:
SELECT some_function_that_updates_data();SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE ...;To reproduce the issue:
SELECT pg_sleep(5 * 60)SELECT pid, usename, state, query FROM pg_stat_activity; to retrieve the PID.SELECT pg_terminate_backend(PID);This vulnerability can lead to denial of service and unauthorized access to running queries, potentially leaking sensitive data.
template-pdf-questionsThe template-pdf-questions project allows users to download PDFs from URLs, but fails to sanitize user input, leading to an SSRF vulnerability. The pdfFetcherTool function takes a URL as input without proper validation.
export const pdfFetcherTool = createTool({
id: 'download-pdf-tool',
description: 'Downloads a PDF from a URL, extracts text, and returns a comprehensive summary',
inputSchema: z.object({
pdfUrl: z.string().describe('URL to the PDF file to download'),
}),
execute: async ({ context, mastra }) => {
const { pdfUrl } = context;
console.log('📥 Downloading PDF from URL:', pdfUrl);
try {
// Step 1: Download the PDF
const response = await fetch(pdfUrl);
Attackers can exploit this by providing URLs pointing to internal network addresses, potentially accessing sensitive data.
private-ip or ipaddr.js.The security of AI-powered applications is paramount, and these vulnerabilities highlight the need for robust security practices. I commend Mastra AI for their swift action in addressing these issues and encourage developers to prioritize security in their projects. For more insights and updates, follow me on Twitter and explore my work on GitHub.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。