@saltcorn/data vulnerable to SQL Injection via jsexprToSQL Literal Handler

Description

The jsexprToSQL() function in Saltcorn converts JavaScript expressions to SQL for use in database constraints. The Literal handler wraps string values in single quotes without escaping embedded single quotes, allowing SQL injection when creating Formula-type table constraints.

Recommendation

Update the @saltcorn/data package to the latest compatible version. Followings are version details:

• Affected version(s): **>= 1.6.0-alpha.0, < 1.6.0-beta.4

  >= 1.5.0, < 1.5.5

  < 1.4.5**

• Patched version(s): **1.6.0-beta.4

  1.5.5

  1.4.5**

References

• GHSA-59xv-588h-2vmm
• CWE-89
• OWASP 2021-A3

Related Issues

• Veramo is Vulnerable to SQL Injection in Veramo Data Store ORM - Vulnerability
• @saltcorn/server Remote Code Execution (RCE) / SQL injection via prototype pollution by manipulating `lang` and `defst - Vulnerability
• Eta vulnerable to Code Injection via templates rendered with user-defined data - CVE-2022-25967
• Matrix-appservice-irc vulnerable to sql injection via roomIds argument - CVE-2022-3971

You might also like:

These 7 PHP mistakes leave your website open to the hackers

44 New SQL Injection Tests for WordPress in SmartScanner 1.8

How do hackers hack websites?

Tags:

npm

@saltcorn/data