NocoBase SQL Injection Vulnerability in Recursive Eager Loading

A SQL injection vulnerability has been identified in NocoBase versions prior to 2.0.39. The issue arises in the queryParentSQL() function within the core database package, where a recursive Common Table Expression (CTE) query is constructed by concatenating nodeIds with strings, rather than using parameterized queries. This flaw allows an attacker to inject arbitrary SQL by creating a record with a malicious string primary key, which is then executed when recursive eager loading is applied to that collection.

Impact

Exploitation of this vulnerability allows for arbitrary SQL injection, with confirmed extraction of sensitive data such as database values, including full credential dumps (emails and password hashes) from the users table. Additionally, depending on database user privileges, it could allow for unauthorized data modifications or deletions. On PostgreSQL with superuser rights, it could lead to OS command execution.

Reproduction

To reproduce this vulnerability, create a tree collection in NocoBase with string-type primary keys. After that, insert a record with a malicious payload that exploits the SQL injection vulnerability by concatenating SQL metacharacters into the primary key. Once the injection parent is created, the malicious SQL is executed during the recursive eager loading process, allowing for data extraction via error-based SQL injection.

Remediation

Users can update to NocoBase version 2.0.39 or later, where this vulnerability has been patched. Additionally, it is recommended to validate primary key values at the time of record creation to reject or escape any values containing SQL metacharacters.