GHSA-p8wx-5f39-w3x4
NocoDB: SQL Injection via Column Title in Bulk GroupBy
상세
### Summary An authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a SQL fragment.
### Details The bulk groupBy path in `group-by.ts` builds three database-specific `knex.raw()` aggregations that interpolate the request's `column_name` directly into the SQL string. Column lookup in `data-table.service.ts` matches on both the sanitized `column_name` field and the free-text `title`, so a title containing a SQL fragment bypasses the public endpoint's existing column allowlist and reaches the query builder unescaped.
### Impact SQL injection against the connected database with read access to any expression an attacker can place in a column title. Exploitation requires an authenticated session with permission to create or rename columns.
### Credit This issue was reported by [@geo-chen](https://github.com/geo-chen).
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.