Summary
An authenticated user with column-create permission can inject SQL into the bulk groupBy
endpoint by setting a column's title to a SQL fragment.
Details
The bulk groupBy path in group-by.ts builds three database-specific knex.raw()
aggregations that interpolate the request's column_name directly into the SQL string.
Column lookup in data-table.service.ts matches on both the sanitized column_name
field and the free-text title, so a title containing a SQL fragment bypasses the
public endpoint's existing column allowlist and reaches the query builder unescaped.
Impact
SQL injection against the connected database with read access to any expression an
attacker can place in a column title. Exploitation requires an authenticated session
with permission to create or rename columns.
Credit
This issue was reported by @geo-chen.
References
Summary
An authenticated user with column-create permission can inject SQL into the bulk groupBy
endpoint by setting a column's title to a SQL fragment.
Details
The bulk groupBy path in
group-by.tsbuilds three database-specificknex.raw()aggregations that interpolate the request's
column_namedirectly into the SQL string.Column lookup in
data-table.service.tsmatches on both the sanitizedcolumn_namefield and the free-text
title, so a title containing a SQL fragment bypasses thepublic endpoint's existing column allowlist and reaches the query builder unescaped.
Impact
SQL injection against the connected database with read access to any expression an
attacker can place in a column title. Exploitation requires an authenticated session
with permission to create or rename columns.
Credit
This issue was reported by @geo-chen.
References