fix: prevent SQL injection in Maintenance tool option values (#9898)

The Maintenance tool concatenated four user-supplied JSON fields
(buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup,
reindex_tablespace) directly into the rendered VACUUM/ANALYZE/REINDEX
command, which was passed to psql --command. An authenticated user
with the tools_maintenance permission could break out of the option
syntax and execute arbitrary SQL on the connected server, escalating
to RCE on the database host via COPY ... TO PROGRAM.

Fix:
- Allow-list values server-side before rendering: vacuum_index_cleanup
  in {AUTO, ON, OFF}; vacuum_parallel a non-negative integer up to
  1024; buffer_usage_limit matching ^\d+\s*(kB|MB|GB|TB)$
  (case-insensitive). Reject with HTTP 400 on failure.
- Switch reindex_tablespace from manual double-quote wrapping to the
  qtIdent filter used elsewhere in the same template, which both
  escapes embedded quotes and only quotes when required.
- Type-guard against unhashable values so non-string payloads return
  400 instead of triggering a 500.

Reported-by: j3seer <jasserchebbi@outlook.com>

Author: asheshv

web/pgadmin/tools/maintenance/__init__.py

@@ -10,6 +10,7 @@
 """A blueprint module implementing the maintenance tool for vacuum"""
 
 import json
+import re
 
 from flask import Response, render_template, request, current_app
 from flask_babel import gettext as _
@@ -148,6 +149,49 @@ def get_index_name(data):
     return index_name
 
 
+# Values for these options are concatenated into the rendered SQL command.
+# They MUST be allow-listed here — anything not matching is rejected before
+# rendering. reindex_tablespace is escaped via qtIdent in the template, so it
+# is not validated here beyond a type check.
+_INDEX_CLEANUP_ALLOWED = {'AUTO', 'ON', 'OFF'}
+_BUFFER_USAGE_LIMIT_RE = re.compile(r'^\d+\s*(kB|MB|GB|TB)$', re.IGNORECASE)
+_VACUUM_PARALLEL_MAX = 1024
+
+
+def validate_maintenance_data(data):
+    """
+    Validate user-supplied option values that are concatenated into the
+    maintenance SQL template. Returns an error message on failure, or None
+    if all values are acceptable.
+    """
+    index_cleanup = data.get('vacuum_index_cleanup')
+    if index_cleanup:
+        if not isinstance(index_cleanup, str) or \
+                index_cleanup not in _INDEX_CLEANUP_ALLOWED:
+            return _("Invalid value for INDEX_CLEANUP option.")
+
+    parallel = data.get('vacuum_parallel')
+    if parallel not in (None, ''):
+        try:
+            n = int(parallel)
+        except (TypeError, ValueError):
+            return _("Invalid value for PARALLEL option.")
+        if n < 0 or n > _VACUUM_PARALLEL_MAX:
+            return _("Invalid value for PARALLEL option.")
+
+    buffer_limit = data.get('buffer_usage_limit')
+    if buffer_limit:
+        if not isinstance(buffer_limit, str) or \
+                not _BUFFER_USAGE_LIMIT_RE.match(buffer_limit.strip()):
+            return _("Invalid value for BUFFER_USAGE_LIMIT option.")
+
+    tablespace = data.get('reindex_tablespace')
+    if tablespace is not None and not isinstance(tablespace, str):
+        return _("Invalid value for TABLESPACE option.")
+
+    return None
+
+
 @blueprint.route(
     '/job/<int:sid>/<int:did>', methods=['POST'], endpoint='create_job'
 )
@@ -169,6 +213,10 @@ def create_maintenance_job(sid, did):
     else:
         data = json.loads(request.data)
 
+    validation_error = validate_maintenance_data(data)
+    if validation_error is not None:
+        return bad_request(errormsg=validation_error)
+
     index_name = get_index_name(data)
 
     # Fetch the server details like hostname, port, roles etc

web/pgadmin/tools/maintenance/templates/maintenance/sql/command.sql

@@ -13,7 +13,7 @@
 {% if data.vacuum_index_cleanup %}{{ maintenance_options.append('INDEX_CLEANUP ' + data.vacuum_index_cleanup) or "" }}{% endif %}
 {% if data.vacuum_parallel %}{{ maintenance_options.append('PARALLEL ' + data.vacuum_parallel) or "" }}{% endif %}
 {% if data.buffer_usage_limit %}{{ maintenance_options.append('BUFFER_USAGE_LIMIT "' + data.buffer_usage_limit + '"') or "" }}{% endif %}
-{% if data.reindex_tablespace %}{{ maintenance_options.append('TABLESPACE "' + data.reindex_tablespace + '"') or "" }}{% endif %}
+{% if data.reindex_tablespace %}{{ maintenance_options.append('TABLESPACE ' + conn|qtIdent(data.reindex_tablespace)) or "" }}{% endif %}
 {% if data.reindex_concurrently %}{{ maintenance_options.append('CONCURRENTLY') or "" }}{% endif %}
 {% if data.op == "VACUUM" %}
 VACUUM{% for option in maintenance_options %}{% if loop.first %} ({% endif %}{{ option }}{% if not loop.last %}, {% endif %}{% if loop.last %}){% endif %}{% endfor %}{% if data.schema %} {{ conn|qtIdent(data.schema) }}.{{ conn|qtIdent(data.table) }}{% endif %};

web/pgadmin/tools/maintenance/tests/test_maintenance_create_job_unit_test.py

@@ -559,7 +559,30 @@ class MaintenanceCreateJobTest(BaseTestGenerator):
                  verbose=True
              ),
              url=MAINTENANCE_URL,
-             expected_cmd_opts=['REINDEX (VERBOSE, TABLESPACE "pg_default") '
+             expected_cmd_opts=['REINDEX (VERBOSE, TABLESPACE pg_default) '
+                                'DATABASE postgres;\n'],
+             server_min_version=140000,
+             message='REINDEX TABLESPACE is not supported by EPAS/PG server '
+                     'less than 14.0'
+         )),
+        ('When reindex_tablespace contains quote, qtIdent escapes it',
+         dict(
+             class_params=dict(
+                 sid=1,
+                 name='test_maintenance_server',
+                 port=5444,
+                 host='localhost',
+                 username='postgres'
+             ),
+             params=dict(
+                 database='postgres',
+                 op='REINDEX',
+                 reindex_tablespace='foo"; DROP TABLE x; --',
+                 verbose=True
+             ),
+             url=MAINTENANCE_URL,
+             expected_cmd_opts=['REINDEX (VERBOSE, TABLESPACE '
+                                '"foo""; DROP TABLE x; --") '
                                 'DATABASE postgres;\n'],
              server_min_version=140000,
              message='REINDEX TABLESPACE is not supported by EPAS/PG server '
@@ -644,7 +667,7 @@ class MaintenanceCreateJobTest(BaseTestGenerator):
                  verbose=True
              ),
              url=MAINTENANCE_URL,
-             expected_cmd_opts=['REINDEX (VERBOSE, TABLESPACE "pg_default") '
+             expected_cmd_opts=['REINDEX (VERBOSE, TABLESPACE pg_default) '
                                 'TABLE my_schema.my_table;\n'],
              server_min_version=140000,
              message='REINDEX TABLESPACE TABLE is not supported by '
@@ -711,7 +734,7 @@ class MaintenanceCreateJobTest(BaseTestGenerator):
                  verbose=True
              ),
              url=MAINTENANCE_URL,
-             expected_cmd_opts=['REINDEX (VERBOSE, TABLESPACE "pg_default") '
+             expected_cmd_opts=['REINDEX (VERBOSE, TABLESPACE pg_default) '
                                 'INDEX my_schema.my_index;\n'],
              server_min_version=140000,
              message='REINDEX TABLESPACE is not supported by EPAS/PG server '

web/pgadmin/tools/maintenance/tests/test_maintenance_input_validation.py

@@ -0,0 +1,224 @@
+##########################################################################
+#
+# pgAdmin 4 - PostgreSQL Tools
+#
+# Copyright (C) 2013 - 2026, The pgAdmin Development Team
+# This software is released under the PostgreSQL Licence
+#
+##########################################################################
+
+import json
+
+from pgadmin.utils.route import BaseTestGenerator
+from regression import parent_node_dict
+from unittest.mock import patch, MagicMock
+
+from config import PG_DEFAULT_DRIVER
+
+MAINTENANCE_URL = '/maintenance/job/{0}/{1}'
+
+
+class MaintenanceInputValidationTest(BaseTestGenerator):
+    """
+    Reject malicious / out-of-range values for the four maintenance options
+    that get concatenated into the rendered SQL command. These payloads
+    correspond to the SQL-injection PoC patterns; the endpoint must return
+    HTTP 400 and never reach BatchProcess.
+    """
+
+    scenarios = [
+        ('buffer_usage_limit with SQL-injection payload is rejected',
+         dict(
+             params=dict(
+                 database='postgres',
+                 op='ANALYZE',
+                 buffer_usage_limit='256kB"); COPY (SELECT 1) TO PROGRAM '
+                                    "'id'; --",
+                 verbose=True,
+             ),
+         )),
+        ('buffer_usage_limit with bad unit is rejected',
+         dict(
+             params=dict(
+                 database='postgres',
+                 op='VACUUM',
+                 buffer_usage_limit='1XB',
+                 verbose=True,
+             ),
+         )),
+        ('buffer_usage_limit non-string is rejected',
+         dict(
+             params=dict(
+                 database='postgres',
+                 op='VACUUM',
+                 buffer_usage_limit=12345,
+                 verbose=True,
+             ),
+         )),
+        ('vacuum_parallel with SQL-injection payload is rejected',
+         dict(
+             params=dict(
+                 database='postgres',
+                 op='VACUUM',
+                 vacuum_parallel='0); COPY (SELECT 1) TO PROGRAM \'id\'; --',
+                 verbose=True,
+             ),
+         )),
+        ('vacuum_parallel negative is rejected',
+         dict(
+             params=dict(
+                 database='postgres',
+                 op='VACUUM',
+                 vacuum_parallel='-1',
+                 verbose=True,
+             ),
+         )),
+        ('vacuum_parallel above max is rejected',
+         dict(
+             params=dict(
+                 database='postgres',
+                 op='VACUUM',
+                 vacuum_parallel='99999',
+                 verbose=True,
+             ),
+         )),
+        ('vacuum_index_cleanup with SQL-injection payload is rejected',
+         dict(
+             params=dict(
+                 database='postgres',
+                 op='VACUUM',
+                 vacuum_index_cleanup='OFF); COPY (SELECT 1) TO PROGRAM '
+                                      "'id'; ANALYZE (VERBOSE",
+                 verbose=True,
+             ),
+         )),
+        ('vacuum_index_cleanup with unknown value is rejected',
+         dict(
+             params=dict(
+                 database='postgres',
+                 op='VACUUM',
+                 vacuum_index_cleanup='MAYBE',
+                 verbose=True,
+             ),
+         )),
+        ('vacuum_index_cleanup lowercase is rejected',
+         dict(
+             params=dict(
+                 database='postgres',
+                 op='VACUUM',
+                 vacuum_index_cleanup='off',
+                 verbose=True,
+             ),
+         )),
+        ('reindex_tablespace non-string is rejected',
+         dict(
+             params=dict(
+                 database='postgres',
+                 op='REINDEX',
+                 reindex_tablespace=['pg_default'],
+                 verbose=True,
+             ),
+         )),
+        ('vacuum_index_cleanup as list is rejected (no 500)',
+         dict(
+             params=dict(
+                 database='postgres',
+                 op='VACUUM',
+                 vacuum_index_cleanup=['OFF'],
+                 verbose=True,
+             ),
+         )),
+        ('vacuum_index_cleanup as dict is rejected (no 500)',
+         dict(
+             params=dict(
+                 database='postgres',
+                 op='VACUUM',
+                 vacuum_index_cleanup={'$ne': None},
+                 verbose=True,
+             ),
+         )),
+    ]
+
+    @patch('pgadmin.tools.maintenance.BatchProcess')
+    @patch('pgadmin.utils.driver.{0}.server_manager.ServerManager.'
+           'export_password_env'.format(PG_DEFAULT_DRIVER))
+    def runTest(self, export_password_env_mock, batch_process_mock):
+        self.server_id = parent_node_dict["database"][-1]["server_id"]
+        self.db_id = parent_node_dict["database"][-1]["db_id"]
+        url = MAINTENANCE_URL.format(self.server_id, self.db_id)
+
+        batch_process_mock.return_value.id = 1
+        batch_process_mock.return_value.set_env_variables = MagicMock(
+            return_value=True)
+        batch_process_mock.return_value.start = MagicMock(return_value=True)
+        export_password_env_mock.return_value = True
+
+        response = self.tester.post(url,
+                                    data=json.dumps(self.params),
+                                    content_type='html/json')
+
+        self.assertEqual(response.status_code, 400)
+        # Validation must reject the request before BatchProcess is touched.
+        self.assertFalse(batch_process_mock.called)
+
+
+class MaintenanceInputValidationAcceptsValidTest(BaseTestGenerator):
+    """
+    Confirm that legitimate option values still pass validation. Anything
+    that the UI can produce should reach BatchProcess.
+    """
+
+    scenarios = [
+        ('vacuum_index_cleanup AUTO is accepted',
+         dict(params=dict(database='postgres', op='VACUUM',
+                          vacuum_index_cleanup='AUTO', verbose=True))),
+        ('buffer_usage_limit with space is accepted',
+         dict(params=dict(database='postgres', op='ANALYZE',
+                          buffer_usage_limit='128 kB', verbose=True))),
+        ('buffer_usage_limit case-insensitive is accepted',
+         dict(params=dict(database='postgres', op='VACUUM',
+                          buffer_usage_limit='1mb', verbose=True))),
+        ('vacuum_parallel zero is accepted',
+         dict(params=dict(database='postgres', op='VACUUM',
+                          vacuum_parallel='0', verbose=True))),
+        ('vacuum_parallel max is accepted',
+         dict(params=dict(database='postgres', op='VACUUM',
+                          vacuum_parallel='1024', verbose=True))),
+    ]
+
+    @patch('pgadmin.tools.maintenance.Server')
+    @patch('pgadmin.tools.maintenance.Message')
+    @patch('pgadmin.tools.maintenance.BatchProcess')
+    @patch('pgadmin.utils.driver.{0}.server_manager.ServerManager.'
+           'export_password_env'.format(PG_DEFAULT_DRIVER))
+    def runTest(self, export_password_env_mock, batch_process_mock,
+                message_mock, server_mock):
+        self.server_id = parent_node_dict["database"][-1]["server_id"]
+        self.db_id = parent_node_dict["database"][-1]["db_id"]
+        url = MAINTENANCE_URL.format(self.server_id, self.db_id)
+
+        class TestMockServer:
+            def __init__(self, host, port, sid, username):
+                self.host = host
+                self.port = port
+                self.id = sid
+                self.username = username
+
+        mock_obj = TestMockServer('localhost', 5444, self.server_id,
+                                  'postgres')
+        server_mock.query.filter_by.return_value.first.return_value = mock_obj
+
+        batch_process_mock.return_value.id = 140391
+        batch_process_mock.return_value.set_env_variables = MagicMock(
+            return_value=True)
+        batch_process_mock.return_value.start = MagicMock(return_value=True)
+        message_mock.message = 'test'
+        batch_process_mock.return_value.desc = message_mock
+        export_password_env_mock.return_value = True
+
+        response = self.tester.post(url,
+                                    data=json.dumps(self.params),
+                                    content_type='html/json')
+
+        self.assertEqual(response.status_code, 200)
+        self.assertTrue(batch_process_mock.called)