Nocobase — CraftedSignal Threat Feed

NocoBase SQL Injection via Missing Validation on Update Endpoint

hello@craftedsignal.io — Wed, 24 Jan 2024 12:00:00 +0000

The @nocobase/plugin-collection-sql plugin for NocoBase is vulnerable to SQL injection. Specifically, the checkSQL() validation function, responsible for preventing dangerous SQL keywords, is applied to the collections:create and sqlCollection:execute endpoints, but is absent from the sqlCollection:update endpoint. This oversight allows an attacker with collection management permissions (specifically, the pm.data-source-manager.collection-sql snippet) to inject arbitrary SQL code. The attack involves creating a SQL collection with benign SQL, updating it with malicious SQL bypassing validation, and subsequently querying the collection to execute the injected SQL. This vulnerability, confirmed to affect versions 2.0.32 and earlier, can lead to unauthorized data access, privilege escalation, and potentially remote code execution on the database server.

Attack Chain

The attacker gains collection management permissions, possibly through compromised credentials or exploiting another vulnerability.
The attacker crafts a request to the collections:create endpoint to create a new SQL collection with a benign SQL query, such as "SELECT 1 as id".
The NocoBase server processes the request, and the checkSQL() function validates the SQL query and allows the collection creation.
The attacker crafts a malicious request to the sqlCollection:update endpoint, targeting the newly created collection. The request contains a SQL payload designed to extract sensitive data, such as "SELECT * FROM users", or execute malicious functions.
The NocoBase server processes the update request, but crucially, the checkSQL() function is not called, allowing the malicious SQL payload to be saved to the collection configuration.
The attacker crafts a request to the :list endpoint to query the updated collection.
The NocoBase server executes the stored malicious SQL query against the database.
The database returns the results of the malicious query, potentially containing sensitive data (e.g., user credentials), which is then returned to the attacker.

Impact

Successful exploitation of this SQL injection vulnerability can have severe consequences. Attackers can exfiltrate sensitive data, including user credentials and password hashes, leading to confidentiality breaches. Furthermore, by using database-specific functions such as pg_read_file or LOAD_FILE, attackers can potentially read arbitrary files from the database server’s filesystem. The vulnerability can also be exploited for privilege escalation, allowing attackers to gain unauthorized access to other databases or execute arbitrary code on the database server. While the number of victims is unknown, any NocoBase instance running a vulnerable version of the @nocobase/plugin-collection-sql plugin is susceptible to this attack.

Recommendation

Apply the fix suggested in the advisory by adding checkSQL() to the update action within the @nocobase/plugin-collection-sql plugin.
Deploy the Sigma rule Detect NocoBase SQL Injection via Update Endpoint to detect attempts to exploit this vulnerability by monitoring HTTP requests to the sqlCollection:update endpoint.
Upgrade to a patched version of @nocobase/plugin-collection-sql that includes the necessary validation on the update action, mitigating the risk of SQL injection.
Implement the more comprehensive defense measures recommended in the advisory, such as centralizing validation and strengthening the blocklist of dangerous SQL keywords to prevent future vulnerabilities.

NocoBase SQL Injection via Recursive Eager Loading

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

A SQL injection vulnerability exists in NocoBase version 2.0.32 and earlier due to string concatenation in the queryParentSQL() function within the @nocobase/database core package. The vulnerability stems from how the queryParentSQL() function constructs a recursive CTE query by concatenating nodeIds instead of using parameterized queries. An attacker with record creation permissions on a tree collection with string-type primary keys can inject arbitrary SQL via a malicious string primary key value in a created record. This injection is triggered when a subsequent request initiates recursive eager loading on that collection. This can lead to confidentiality breaches (extraction of database values including credentials), integrity issues (data manipulation via stacked queries), and availability problems (resource exhaustion). On PostgreSQL with superuser privileges, OS command execution is possible. The vulnerability affects all collections using a tree/adjacency-list structure with string primary keys. The same concatenation pattern also exists in plugin-field-sort/src/server/sort-field.ts:124. The vulnerability is tracked as CVE-2026-41640.

Attack Chain

An attacker gains access to the NocoBase application with privileges to create records in a collection.
The attacker identifies a “tree” collection that utilizes a string-type primary key.
The attacker crafts a malicious primary key string containing SQL injection payload, such as root') UNION ALL SELECT CAST((SELECT email FROM users LIMIT 1) AS integer)::text, NULL::text WHERE ('1'='1.
The attacker creates a new record in the target collection using the crafted malicious primary key.
A subsequent request is made that triggers recursive eager loading on the target collection, specifically when a BelongsTo association has recursively: true and instances exist, calling the vulnerable queryParentSQL function.
The queryParentSQL function concatenates the malicious primary key into the SQL query without proper sanitization or parameterization.
The injected SQL code is executed against the database, allowing the attacker to extract sensitive data via error messages or potentially perform other malicious actions.
The attacker retrieves the extracted data from the error messages or through other means, such as direct database access if integrity is compromised.

Impact

This SQL injection vulnerability can lead to severe consequences. Successful exploitation can result in the unauthorized disclosure of sensitive information, including database credentials and other user data. Attackers can potentially modify data or execute arbitrary commands on the database server, leading to data corruption or system compromise. In the case of PostgreSQL databases with superuser privileges, attackers might gain operating system-level access. The vulnerability affects all collections using tree/adjacency-list structure with string-type primary keys, increasing the attack surface. Confirmed extractions include version information, database names, emails, and password hashes.

Recommendation

Deploy the Sigma rule Detect NocoBase SQL Injection Attempt in Primary Key to your SIEM to detect attempts to exploit this vulnerability via malicious primary key values.
Apply the suggested fix from the advisory by using parameterized queries in packages/core/database/src/eager-loading/eager-loading-tree.ts as referenced in the overview.
Apply the same fix to plugin-field-sort/src/server/sort-field.ts:124 to address the identical concatenation pattern as described in the overview.
Validate primary key values at record creation time to reject or escape values containing SQL metacharacters (', ", ;, --) in string-type primary key fields, as suggested in the advisory.