Daptin: SQL injection via unvalidated goqu.L() calls in aggregate API

Description

Summary

The /aggregate/:typename endpoint accepted column and group query parameters that were passed verbatim to goqu.L() — a raw SQL literal expression builder — without any validation. This bypassed all parameterization and allowed authenticated users with any valid session to inject arbitrary SQL expressions.

Impact

An authenticated low-privilege user could:
- Extract data from any table via subquery: (SELECT group_concat(email) FROM user_account) as leak
- Disclose database internals: sqlite_version(), (SELECT sql FROM sqlite_master)
- Exfiltrate cross-table data via correlated subqueries

The vulnerability was confirmed locally; user_account.email values were extracted via a crafted column parameter by a non-admin user.

Root Cause

goqu.L(userInput) in server/resource/resource_aggregate.go inserted user-supplied query parameters directly into the SQL string with no validation.

Fix (v0.11.4)

All goqu.L() calls on user-controlled input were eliminated and replaced with:
- Structural expression parsing supporting all documented API forms
- Schema-based column validation (column names checked against entity schema via TableInfo().GetColumnByName())
- Exact-match allowlist for aggregate functions (count, sum, avg, min, max, first, last) and scalar functions (date, strftime, upper, lower, etc.)
- Safe goqu constructors (goqu.I(), goqu.SUM(), goqu.Func()) for all generated expressions
- allowedTables scope enforcement: qualified column refs (table.col) validated against root entity + explicitly joined tables only

Two additional DoS bugs were fixed in the same commit: uuid.MustParse panic on malformed UUID input and an index-out-of-range panic in ToOrderedExpressionArray on empty sort expressions.

Credits

Reported by @VashuVats.

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-04-22 17:38:02 UTC
Updated
2026-05-08 21:47:30 UTC
GitHub reviewed
2026-04-22 17:38:02 UTC
NVD published
2026-05-07

EPSS Score

Score Percentile
0.05% 14.09%

CVSS Scores

Base score Version Severity Vector
8.3 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:L)
Might cause slowdowns, glitches, or partial disruption—not a full brick.

Identifiers

CWEs

CWE id Name
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Credits

  • VashuVats (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
go github.com/daptin/daptin < 0.11.4 0.11.4

References

cvelogic Threat Intelligence