Summary
The sqlRequest command allows arbitrary SQL execution with only a single shared password.
Affected Code
server-services/start-services.js Lines 338-390
Vulnerability
Any client with the sqlPassword can run arbitrary SQL.
Impact
- Full database read/write/delete access
Recommended Fix
- Disable by default; require explicit
LS_ENABLE_SQL_API=true env flag
- Require verified
auth_key in addition to sqlPassword
- IP allowlist or mTLS
- Audit logging
References
Summary
The
sqlRequestcommand allows arbitrary SQL execution with only a single shared password.Affected Code
server-services/start-services.jsLines 338-390Vulnerability
Any client with the
sqlPasswordcan run arbitrary SQL.Impact
Recommended Fix
LS_ENABLE_SQL_API=trueenv flagauth_keyin addition tosqlPasswordReferences