NocoBase Workflow SQL Injection Vulnerability

A SQL injection vulnerability has been identified in NocoBase versions through 2.0.29, specifically within the 'plugin-workflow-sql' component. The issue arises because template variables are directly substituted into SQL strings without proper escaping or parameterization. This flaw allows users to inject arbitrary SQL into workflows that utilize SQL nodes with template variables derived from user-controlled data.

Impact

Exploitation of this vulnerability allows for arbitrary SQL injection, with the potential to read from or write to the database. The severity of the impact is heightened for users with administrative privileges, who could execute harmful SQL commands such as dropping tables or modifying critical data.

Reproduction

To reproduce this vulnerability, log in as an admin and create a collection-trigger workflow on the 'users' table. Add a SQL node with a query that includes a template variable placeholder for the nickname. Once the workflow is enabled, create a user with a crafted nickname that exploits the SQL injection vulnerability. After the workflow executes, the injected SQL will have been executed, demonstrating the successful exploitation of the vulnerability.

Remediation

This vulnerability has been patched in NocoBase version 2.0.30. Users should update to this version to address the issue.