SQLite Forum

Possible vulnerabilities from December 2019
Login
Chronological Hierarchical 
It is a clever attack.  The idea is that if you have an application
that uses an SQLite database with a schema like this:

~~~~~
   CREATE TABLE xyzzy(...);
~~~~~

And if your application always

  1.  Registers an application-defined SQL function "`send_money()`"
      upon start-up and then
  2.  Runs "`SELECT * FROM xyzzy WHERE...`" thereafter

Then the attacker can modify your schema like this:

~~~~~
   ALTER TABLE xyzzy RENAME to xyzzy_real;
   CREATE VIEW xyzzy AS SELECT * FROM xyzzy_real
       WHERE send_money(...) IS NOT NULL OR 5<>11;
~~~~~

Then, when your application naively opens the database file and
reads the xyzzy table, it will actually cause the view to run and
send money to the attacker.

## Features Recently Added to SQLite To Help Avoid This Attack.

  1.  You can now specify that application-defined SQL functions
      are [SQLITE_DIRECTONLY][1].  This means that they can only
      be called from top-level SQL, not from triggers or views.
      The use of SQLITE_DIRECTONLY is recommended for any
      application-defined SQL function that has side-effects.

  2.  There is the [SQLITE_DBCONFIG_ENABLE_VIEW][2] option which can
      be used to completely disable views, and hence shut down this
      attack.  Recommended if your application does not need or use
      views.  The corresponding [SQLITE_DBCONFIG_ENABLE_TRIGGER][3]
      option has been around for ages already.  It too is
      recommended for security-sensitive applications that do not
      need or use triggers.

  3.  You can run [PRAGMA trusted_schema=OFF;][4] to cause all
      historical application-defined SQL functions to act as if
      they were SQLITE_DIRECTONLY even if they were not declared
      as such.  On by default for historical compatibility, but
      recommended for security-sensitive applications.

See the [Defense Against Dark Arts][5] page for additional discussion
of these ideas.

[1]: https://www.sqlite.org/c3ref/c_deterministic.html#sqlitedirectonly
[2]: https://www.sqlite.org/c3ref/c_dbconfig_defensive.html#sqlitedbconfigenableview
[3]: https://www.sqlite.org/c3ref/c_dbconfig_defensive.html#sqlitedbconfigenabletrigger
[4]: https://www.sqlite.org/pragma.html#pragma_trusted_schema
[5]: https://www.sqlite.org/security.html