NocoBase SQL Injection Vulnerability in Collection Update Endpoint

A SQL injection vulnerability has been identified in NocoBase versions prior to 2.0.39. The issue arises in the 'sqlCollection:update' endpoint, where the 'checkSQL()' validation function, designed to block dangerous SQL keywords, is not applied. This oversight allows an attacker with collection management permissions to exploit the vulnerability by updating a SQL collection with arbitrary SQL that bypasses validation. The injected SQL can then be executed to exfiltrate data. The vulnerability is present in the '@nocobase/plugin-collection-sql' component, affecting versions through 2.0.38.

Impact

Exploitation of this vulnerability allows for arbitrary SQL injection, confirmed to exfiltrate sensitive data such as password hashes from the 'users' table. Additionally, the injection could be used to manipulate database integrity or availability, and on PostgreSQL, could enable lateral movement to other databases using 'dblink'.

Reproduction

To reproduce this vulnerability, first create a SQL collection with benign SQL that passes the 'checkSQL()' validation. Then, update the collection using the 'sqlCollection:update' endpoint with SQL that contains dangerous keywords or functions, such as 'pg_read_file' or 'dblink'. After the update, query the collection to execute the injected SQL and retrieve the exfiltrated data.

Remediation

Users can update to NocoBase version 2.0.39 or later, where this vulnerability has been patched.