Highmytharcher

Name of the Vulnerable Software and Affected Versions NocoBase versions prior to 2.0.30 Description NocoBase is an AI-powered no-code/low-code platform. The `plugin-workflow-sql` component, in versions up to 2.0.8, directly substitutes template variables into raw SQL strings using `getParsedValue()` without proper parameterization or escaping. This allows a user triggering a workflow containing a SQL node with template variables derived from user-controlled data to inject arbitrary SQL code. The `SQLInstruction` in `packages/plugins/@nocobase/plugin-workflow-sql/src/server/SQLInstruction.ts` processes SQL templates without escaping or quoting. Specifically, the `getParsedValue()` function performs string substitution of `{{$context.data.fieldName}}` placeholders with values from the workflow trigger data. An attacker can exploit this by crafting a malicious input, such as a nickname containing a SQL injection payload, to execute arbitrary SQL commands against the database. This could lead to full database read/write access, potentially allowing an attacker to extract credentials, modify records, or drop tables, depending on the database user's privileges. Recommendations Update to version 2.0.30 or later. Implement parameterized queries by replacing direct string substitution with Sequelize bind parameters. Use `processor.getParsedValueAsParams()` to generate the SQL query and bind parameters.