Bypass Metabase API's from WAF's for SQL Injection

Currently while creating new Questions (SQL queries) on Metabase and saving them, we pass the entire query to API, and our configured WAF's are blocking these calls as the query contains Join's and WAF is treating it as an SQL injection and is blocking the call and we are not able to save such questions.
Any idea on how to bypass such WAF's for these queries.

Metabase provides protections against injections, can you disable that check?

Hi Luiggi,
Thanks for your reply, can you please provide steps on how to disable that check, also link to any documentation around that if present.


I don't know which WAF you have, I was suggesting you disable those checks in the WAF

Ohh I thought, you were saying there is some check in Metabase side, yes for disabling those checks on WAF side, we have whitelisted the Metabase API's which get the query in the request params for SQL Injections related WAF rules.
Was just wondering if there is any other approach to handle this other than disabling on WAF side.

We had similar issue with metabase /api/card put and post api. It was getting blocked by AWS WAF - AWSManagedRulesWindowsRuleSet#WindowsShellCommands_BODY.

Any idea, if we have plan to certify one or more WAF in future.


Unfortunately I don’t know how the waf validates the rule. If it’s just a regex check then it’s going to be a problem as Metabase sql questions is mostly about sending a sql query over a http call so it will trigger for sure a waf alarm

I’m wondering why it triggered a windows shell rule. I would say that you choose waf rules that are not sql injections as Metabase has those checks already in place

Do we have any metabase documentation where it states Metabase already checks for SQL injections, if yes can you please provide me the link for the same.

I looked at body and headers and could not find why it would have triggered a windows shell rule. Possibly some regex. I didn't find AWS documentation that lists down all regexes it look for each rule / ruleset.

Even though metabase may have checks for various checks, it might be still good idea to have one or more industry standard WAF supported that can be used as an extra layer of security.

Metabase uses prepared statements on all its queries, you can see that in the code

On the opposite, WAFs should not trigger when they see a sql query on the payload of an api call. We can’t rewrite our entire product because a product on top of Metabase can’t distinguish between a valid sql and someone doing nasty things