A few hours after releasing ClickMigrate as an open source project, we performed an additional security review of the codebase. During that review, we identified two security issues and fixed both of them before continuing development.
Neither issue is likely to affect typical ClickMigrate users, but we believe documenting these findings improves transparency and demonstrates the importance of reviewing even small open source projects from a security perspective.
Issue #1: Path Traversal in the Revision Command
The first issue affected the clickmigrate revision command. Under certain conditions, it was possible to supply a crafted migration name that caused the generated SQL file to be written outside of the configured migrations directory.
The vulnerability required a very specific setup. An attacker would first need to control the migration name supplied to the command, for example through an automated development or CI/CD pipeline that accepted untrusted input. The attacker would not gain permissions beyond those already granted to the user executing ClickMigrate, but arbitrary .sql files could be created anywhere that user had write access.
Although the practical impact is limited, this is still a valid Path Traversal vulnerability and has been addressed. We published a GitHub Security Advisory describing the issue: GHSA-vgf9-9mxx-hq54. We are also evaluating whether the issue should receive a CVE identifier.
The fix was straightforward. We introduced strict validation of migration names, allowing only letters, numbers, hyphens, and underscores. Any other input is rejected before reaching the file creation logic.
The complete fix is available in commit 6b1f2c0.
Issue #2: A Theoretical SQL Injection Scenario
During the same review, we also identified a second issue involving SQL query construction.
Under very specific circumstances, it was technically possible to influence the SQL query through the configured migration table name. However, exploiting this would already require an attacker to control ClickMigrate's configuration or otherwise have the ability to influence the database queries being executed.
Because of these prerequisites, we consider the practical impact to be extremely low. Nevertheless, it was still worth fixing to eliminate unnecessary attack surface.
We addressed the issue using the same approach as before by introducing strict validation. The migration table name now only accepts letters, numbers, hyphens, and underscores, preventing unexpected characters from reaching the SQL query.
The fix can be found in commit 360f703.
Lessons Learned
Neither issue required a complicated fix. Both vulnerabilities were resolved by introducing strict input validation, resulting in only a few lines of additional code.
This serves as a good reminder that security reviews are valuable even for relatively small projects. Looking at code with a security mindset often reveals edge cases that would otherwise go unnoticed.
Not every finding results in a critical vulnerability, but identifying and addressing smaller issues before they become larger problems is an important part of secure software development.
Highlights
- Identified and fixed two security issues in ClickMigrate.
- Published a GitHub Security Advisory for the Path Traversal vulnerability.
- Currently evaluating whether the Path Traversal issue should receive a CVE identifier.
- Resolved a theoretical SQL injection scenario with very limited practical impact.
- Strengthened input validation across multiple parts of ClickMigrate.
Looking Ahead
We'll continue performing regular security reviews of both QueueForge and our open source projects. Finding issues early is significantly easier than responding to them later.
If you'd like to receive future Security Monday articles, consider subscribing to our newsletter.
See you next Monday,
The QueueForge Security Team
Top comments (0)