Daptin SQL Injection Vulnerability in Aggregate API

A SQL injection vulnerability has been identified in Daptin version 0.10.3 within the Aggregate API component. The issue arises in the file 'server/resource/resource_aggregate.go', where user-supplied input for the 'column', 'group', and 'order' parameters is directly passed to the 'goqu.L()' function without adequate sanitization. This oversight allows remote attackers to manipulate SQL queries, potentially leading to unauthorized data access or modification. The vulnerability affects all versions of Daptin that include the Aggregate API, starting from commit 755f5d42, dated May 24, 2025.

Impact

Exploitation of this vulnerability allows attackers to execute arbitrary SQL commands, bypassing standard query parameterization and escaping. This could lead to unauthorized data access, such as extracting sensitive information from the database, including user credentials and API keys. Additionally, there is a potential for data manipulation through advanced SQL injection techniques. The vulnerability could also be exploited to cause a denial-of-service condition by executing resource-intensive SQL queries.

Reproduction

To reproduce this vulnerability, first register as the first user on a fresh Daptin instance, which automatically grants admin privileges. After logging in and obtaining a JWT token, send a request to the '/aggregate/world' endpoint with a crafted 'column' parameter that includes SQL injection payloads. The response will contain the extracted data, confirming the successful exploitation of the vulnerability.

Remediation

It is recommended to implement input validation for the 'column', 'group', and 'order' parameters, replacing 'goqu.L()' with parameterized query methods. Additionally, only allow predefined column names and aggregate functions, and block subquery syntax in user input.