SQL injection - Code In nocodb
Description
NocoDB: Postgres SQL Injection in Formula ARRAYSORT
Summary
An authenticated user with columnAdd permission on a Postgres-backed base can inject arbitrary SQL into the formula engine via the optional direction argument of ARRAYSORT(...). The value is unrestricted by formula validation and embedded into a knex.raw ORDER BY clause, executing during column creation and on every subsequent record read of the formula column.
Details
The vulnerability is specific to the Postgres mapping for ARRAYSORT in packages/nocodb/src/db/functionMappings/pg.ts. Two factors combine:
ARRAYSORT declares only argument count, not validation.args.type, so validate-extract-tree.ts does not enforce an allowlist on the second argument.
The Postgres mapping then passes the attacker-controlled value through sanitize(knex.raw(...)) into a raw SQL fragment:
const direction = pt.arguments[1] ? sanitize( knex.raw(pt.arguments[1]?.value ?? (await fn(pt.arguments[1])).builder), ) : knex.raw('asc'); return { builder: knex.raw(`ARRAY(SELECT UNNEST(??) ORDER BY 1 ??)`, [source, direction]),...
sanitize() in sqlSanitize.ts only escapes ? placeholder characters; it does not validate SQL syntax. A payload such as "desc, (SELECT COUNT(*) FROM generate_series(1,30000000))" is accepted, persisted, and re-executed on every read of the formula column.
Impact
Authenticated SQL injection against Postgres-backed bases.
Requires columnAdd permission (creator/owner-level).
Proven impact: attacker-controlled heavy SQL causing multi-second query stalls (DoS).
Potentially extendable to broader SQL injection outcomes depending on database permissions and deployment hardening.
Limited to Postgres backends.
Credit
This issue was reported by @leduckhuong.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 npm | 2026.04.1 |
Aliases
References