Bypass Metabase API's from WAF's for SQL Injection

varunm · April 17, 2023, 12:58pm

Hi,
Currently while creating new Questions (SQL queries) on Metabase and saving them, we pass the entire query to API, and our configured WAF's are blocking these calls as the query contains Join's and WAF is treating it as an SQL injection and is blocking the call and we are not able to save such questions.
Any idea on how to bypass such WAF's for these queries.

Luiggi · April 17, 2023, 1:28pm

Metabase provides protections against injections, can you disable that check?

varunm · April 19, 2023, 11:58am

Hi Luiggi,
Thanks for your reply, can you please provide steps on how to disable that check, also link to any documentation around that if present.

Thanks
Varun

Luiggi · April 19, 2023, 12:05pm

I don't know which WAF you have, I was suggesting you disable those checks in the WAF

varunm · April 19, 2023, 12:30pm

Ohh I thought, you were saying there is some check in Metabase side, yes for disabling those checks on WAF side, we have whitelisted the Metabase API's which get the query in the request params for SQL Injections related WAF rules.
Was just wondering if there is any other approach to handle this other than disabling on WAF side.

tachniki · April 24, 2023, 7:23am

We had similar issue with metabase /api/card put and post api. It was getting blocked by AWS WAF - AWSManagedRulesWindowsRuleSet#WindowsShellCommands_BODY.

Any idea, if we have plan to certify one or more WAF in future.

Thanks,
NItin

Luiggi · April 24, 2023, 1:25pm

Unfortunately I don’t know how the waf validates the rule. If it’s just a regex check then it’s going to be a problem as Metabase sql questions is mostly about sending a sql query over a http call so it will trigger for sure a waf alarm

Luiggi · April 24, 2023, 1:27pm

I’m wondering why it triggered a windows shell rule. I would say that you choose waf rules that are not sql injections as Metabase has those checks already in place

varunm · April 24, 2023, 2:13pm

Do we have any metabase documentation where it states Metabase already checks for SQL injections, if yes can you please provide me the link for the same.

tachniki · April 24, 2023, 6:52pm

I looked at body and headers and could not find why it would have triggered a windows shell rule. Possibly some regex. I didn't find AWS documentation that lists down all regexes it look for each rule / ruleset.

Even though metabase may have checks for various checks, it might be still good idea to have one or more industry standard WAF supported that can be used as an extra layer of security.

Luiggi · April 24, 2023, 7:18pm

Metabase uses prepared statements on all its queries, you can see that in the code

Luiggi · April 24, 2023, 7:20pm

On the opposite, WAFs should not trigger when they see a sql query on the payload of an api call. We can’t rewrite our entire product because a product on top of Metabase can’t distinguish between a valid sql and someone doing nasty things