PT-2026-33888 · Npm · @Saltcorn/Data

Published

2026-04-10

·

Updated

2026-04-10

CVSS v3.1

0.0

None

VectorAV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N

Summary

The jsexprToSQL() function in Saltcorn converts JavaScript expressions to SQL for use in database constraints. The Literal handler wraps string values in single quotes without escaping embedded single quotes, allowing SQL injection when creating Formula-type table constraints.

Vulnerable Component

File: packages/saltcorn-data/models/expression.ts, lines 117-118
typescript
Literal({ value }: { value: ExtendedNode }) {
 if (typeof value == "string") return `'${value}'`; // NO ESCAPING!
 return `${value}`;
},
Call chain: Formula constraint creation → table constraints.ts:127jsexprToSQL()Literal()db.query() executes unsanitized SQL.

Proof of Concept

Injection via Formula Constraint

When an admin creates a Formula-type table constraint with the expression:
javascript
name === "test' OR '1'='1"
The jsexprToSQL() function generates:
sql
(name)=('test' OR '1'='1')
This is then executed as:
sql
ALTER TABLE "tablename" ADD CONSTRAINT "tablename fml 1" CHECK ((name)=('test' OR '1'='1'));
The single quote in the string literal is not escaped, breaking out of the SQL string context.

More Dangerous Payload

javascript
name === "'; DROP TABLE users; --"
Generates:
sql
(name)=(''; DROP TABLE users; --')

Verified on Saltcorn v1.5.0 (Docker)

Direct invocation of jsexprToSQL() inside the running container confirms the vulnerability:
Input: name === "hello"
Output: (name)=('hello')             ← Normal

Input: name === "test' OR '1'='1"
Output: (name)=('test' OR '1'='1')        ← Single quote NOT escaped, OR injected

Input: name === "'; DROP TABLE users; --"
Output: (name)=(''; DROP TABLE users; --')     ← DROP TABLE injected
The test was performed on a completely fresh Saltcorn installation (zero user-created tables, default Docker setup).

PoC Screenshot

  1. Create a table after moving to the table menu
SCR-20260307-edqn
  1. Go to the table and then to Constraits
SCR-20260307-edsg
  1. Go to Formula
SCR-20260307-edud
  1. Create a test table for verification
SCR-20260307-eetw
  1. Input the payload and save
SCR-20260307-ehcz
  1. Check the table for testing
SCR-20260307-ehuh

Impact

  • Arbitrary SQL execution via crafted CHECK constraints
  • Data exfiltration through error-based or time-based SQL injection
  • Database schema manipulation (DROP TABLE, ALTER TABLE)
  • Potential privilege escalation via direct users table modification

Suggested Remediation

Escape single quotes in the Literal handler:
typescript
Literal({ value }: { value: ExtendedNode }) {
 if (typeof value == "string") return `'${value.replace(/'/g, "''")}'`;
 return `${value}`;
},
Alternatively, use parameterized queries for constraint creation instead of string interpolation.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

GHSA-59XV-588H-2VMM

Affected Products

@Saltcorn/Data