Oinone Pamirs SQL Injection Vulnerability in queryListByWrapper Interface

A SQL injection vulnerability has been identified in the Oinone Pamirs low-code development framework, affecting versions prior to 7.2.0. The issue arises in the queryListByWrapper interface, where the RSQLToSQLNodeConnector.makeVariable function improperly handles string inputs. This flaw allows attackers to inject malicious SQL commands by exploiting RSQL's syntax, potentially leading to unauthorized database access or manipulation.

Impact

Exploitation of this vulnerability allows unauthorized attackers to execute injected SQL commands, with the potential to modify, delete, or query database resources. Additionally, attackers could gain SQL-shell level privileges.

Reproduction

To reproduce this vulnerability, send a POST request to the /pamirs/base endpoint with a JSON payload that includes a crafted RSQL query. The query should exploit the vulnerable string handling by injecting SQL commands through the queryListByWrapper interface.

Remediation

To address this vulnerability, Oinone recommends removing anonymous access permissions for the queryListByWrapper interface, implementing field validity checks to prevent sensitive data exfiltration, and using parameterized queries to safely handle user input.