{"url":"http://public2.vulnerablecode.io/api/packages/1020232?format=json","purl":"pkg:npm/%40saltcorn/data@1.1.0-beta.6","type":"npm","namespace":"@saltcorn","name":"data","version":"1.1.0-beta.6","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.4.5","latest_non_vulnerable_version":"1.6.0-beta.4","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89842?format=json","vulnerability_id":"VCID-pfz1-y9nf-7fd7","summary":"@saltcorn/data vulnerable to SQL Injection via jsexprToSQL Literal Handler\n## Summary\n\nThe `jsexprToSQL()` function in Saltcorn converts JavaScript expressions to SQL for use in database constraints. The `Literal` handler wraps string values in single quotes without escaping embedded single quotes, allowing SQL injection when creating Formula-type table constraints.\n\n\n## Vulnerable Component\n\n**File:** `packages/saltcorn-data/models/expression.ts`, lines 117-118\n\n```typescript\nLiteral({ value }: { value: ExtendedNode }) {\n if (typeof value == \"string\") return `'${value}'`; // NO ESCAPING!\n return `${value}`;\n},\n```\n\n**Call chain:** Formula constraint creation → `table_constraints.ts:127` → `jsexprToSQL()` → `Literal()` → `db.query()` executes unsanitized SQL.\n\n## Proof of Concept\n\n### Injection via Formula Constraint\n\nWhen an admin creates a Formula-type table constraint with the expression:\n\n```javascript\nname === \"test' OR '1'='1\"\n```\n\nThe `jsexprToSQL()` function generates:\n\n```sql\n(name)=('test' OR '1'='1')\n```\n\nThis is then executed as:\n\n```sql\nALTER TABLE \"tablename\" ADD CONSTRAINT \"tablename_fml_1\" CHECK ((name)=('test' OR '1'='1'));\n```\n\nThe single quote in the string literal is not escaped, breaking out of the SQL string context.\n\n### More Dangerous Payload\n\n```javascript\nname === \"'; DROP TABLE users; --\"\n```\n\nGenerates:\n\n```sql\n(name)=(''; DROP TABLE users; --')\n```\n\n### Verified on Saltcorn v1.5.0 (Docker)\n\nDirect invocation of `jsexprToSQL()` inside the running container confirms the vulnerability:\n\n```\nInput: name === \"hello\"\nOutput: (name)=('hello') ← Normal\n\nInput: name === \"test' OR '1'='1\"\nOutput: (name)=('test' OR '1'='1') ← Single quote NOT escaped, OR injected\n\nInput: name === \"'; DROP TABLE users; --\"\nOutput: (name)=(''; DROP TABLE users; --') ← DROP TABLE injected\n```\n\nThe test was performed on a completely fresh Saltcorn installation (zero user-created tables, default Docker setup).\n\n### PoC Screenshot\n\n1. Create a table after moving to the table menu\n\n![\"SCR-20260307-edqn\"](\"https://github.com/user-attachments/assets/a2d11102-f49b-4b2b-88ff-fced37476b6f\")
\n\n\n2. Go to the table and then to `Constraits`\n\n![\"SCR-20260307-edsg\"](\"https://github.com/user-attachments/assets/b55ddace-01be-4a53-8f62-cbec98172cd7\")
\n\n3. Go to `Formula`\n\n![\"SCR-20260307-edud\"](\"https://github.com/user-attachments/assets/8a5addc6-e681-401b-91ea-bce3b0eece54\")
\n\n4. Create a test table for verification\n\n![\"SCR-20260307-eetw\"](\"https://github.com/user-attachments/assets/debc8581-8145-44cb-a684-2bc3eb7adbcf\")
\n\n5. Input the payload and save\n\n![\"SCR-20260307-ehcz\"](\"https://github.com/user-attachments/assets/f7a3aa34-7b0b-48ea-b1df-f852f137c37f\")
\n\n6. Check the table for testing\n\n![\"SCR-20260307-ehuh\"](\"https://github.com/user-attachments/assets/8f6da842-0275-4729-93bf-96575f3fe963\")
\n\n\n\n## Impact\n\n- Arbitrary SQL execution via crafted CHECK constraints\n- Data exfiltration through error-based or time-based SQL injection\n- Database schema manipulation (DROP TABLE, ALTER TABLE)\n- Potential privilege escalation via direct `users` table modification\n\n## Suggested Remediation\n\nEscape single quotes in the `Literal` handler:\n\n```typescript\nLiteral({ value }: { value: ExtendedNode }) {\n if (typeof value == \"string\") return `'${value.replace(/'/g, \"''\")}'`;\n return `${value}`;\n},\n```\n\nAlternatively, use parameterized queries for constraint creation instead of string interpolation.","references":[{"reference_url":"https://github.com/saltcorn/saltcorn","reference_id":"","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/saltcorn/saltcorn"},{"reference_url":"https://github.com/saltcorn/saltcorn/security/advisories/GHSA-59xv-588h-2vmm","reference_id":"","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/saltcorn/saltcorn/security/advisories/GHSA-59xv-588h-2vmm"},{"reference_url":"https://github.com/advisories/GHSA-59xv-588h-2vmm","reference_id":"GHSA-59xv-588h-2vmm","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-59xv-588h-2vmm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/111065?format=json","purl":"pkg:npm/%40saltcorn/data@1.4.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540saltcorn/data@1.4.5"},{"url":"http://public2.vulnerablecode.io/api/packages/111066?format=json","purl":"pkg:npm/%40saltcorn/data@1.5.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540saltcorn/data@1.5.5"},{"url":"http://public2.vulnerablecode.io/api/packages/111067?format=json","purl":"pkg:npm/%40saltcorn/data@1.6.0-beta.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540saltcorn/data@1.6.0-beta.4"}],"aliases":["GHSA-59xv-588h-2vmm"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pfz1-y9nf-7fd7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89212?format=json","vulnerability_id":"VCID-xqes-aykm-17d8","summary":"@saltcorn/data: Tenant user role is used for tenant creation role check\n## Summary\n\nWhen a tenant admin is logged out of the root domain (e.g., saltcorn.com) but logged in to their own tenant space as admin, they can simply append `/tenant/create` to their tenant URL. The system reads the role from the tenant context (admin), and a new tenant is created on the **root domain** (in `PUBLIC SCHEMA > _sc_tenants`), rather than in the tenant's own `_sc_tenants` table.\n\nIf the same logic applies to other routes, a tenant admin effectively gains admin rights on the root domain.\n\n## PoC\n\nA tenant-created subtenant appears under the Saltcorn public schema instead of the tenant's own schema.\n\n- Even when `role_id=1` is required for tenant creation on saltcorn.com (only admin can create tenants), existing tenant admins can still create new tenants because their local `role_id:1` is evaluated against the root domain.\n- Even when `role_to_create_tenant` is set to `0` in the tenant's `_sc_config` schema, or removed entirely, the tenant admin can still create sub-tenants on the root domain — suggesting `role_to_create_tenant` is not being read at all.\n\n## Impact\n\nTenant admins gain unauthorized admin-level access to the root domain. Any authenticated tenant admin can perform privileged operations (e.g., creating tenants) on the root domain by exploiting the role context mismatch.","references":[{"reference_url":"https://github.com/saltcorn/saltcorn","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/saltcorn/saltcorn"},{"reference_url":"https://github.com/saltcorn/saltcorn/security/advisories/GHSA-9237-rg5p-rhfw","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/saltcorn/saltcorn/security/advisories/GHSA-9237-rg5p-rhfw"},{"reference_url":"https://github.com/advisories/GHSA-9237-rg5p-rhfw","reference_id":"GHSA-9237-rg5p-rhfw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9237-rg5p-rhfw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110257?format=json","purl":"pkg:npm/%40saltcorn/data@1.4.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pfz1-y9nf-7fd7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540saltcorn/data@1.4.4"},{"url":"http://public2.vulnerablecode.io/api/packages/110259?format=json","purl":"pkg:npm/%40saltcorn/data@1.5.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pfz1-y9nf-7fd7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540saltcorn/data@1.5.2"},{"url":"http://public2.vulnerablecode.io/api/packages/110260?format=json","purl":"pkg:npm/%40saltcorn/data@1.6.0-beta.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pfz1-y9nf-7fd7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540saltcorn/data@1.6.0-beta.2"}],"aliases":["GHSA-9237-rg5p-rhfw"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xqes-aykm-17d8"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540saltcorn/data@1.1.0-beta.6"}