Submit #719742: Daptin https://github.com/daptin/daptin 0.10.3 SQL Injectioninfo

TitleDaptin https://github.com/daptin/daptin 0.10.3 SQL Injection
DescriptionA SQL Injection vulnerability exists in Daptin's aggregate API endpoint (`/aggregate/:typename`). The vulnerability occurs because user-supplied input is directly passed to `goqu.L()` (Literal function) without proper sanitization or validation, allowing attackers to execute arbitrary SQL queries. In the file `server/resource/resource_aggregate.go`, the `column`, `group`, and `order` parameters from user requests are directly interpolated into SQL queries using `goqu.L()`: ```go // Lines 139-141 in resource_aggregate.go if strings.Index(project, " as ") > -1 { parts := strings.Split(project, " as ") projectionsAdded = append(projectionsAdded, goqu.L(parts[0]).As(parts[1])) } else { projectionsAdded = append(projectionsAdded, goqu.L(project)) } ``` The `goqu.L()` function treats input as a raw SQL literal, bypassing all query parameterization and escaping mechanisms.
Source⚠️ https://note-hxlab.wetolink.com/share/yMZ8oEgMTAur
User
 hiro (UID 93548)
Submission12/19/2025 08:04 AM (3 months ago)
Moderation01/02/2026 11:08 AM (14 days later)
StatusAccepted
VulDB entry339384 [Daptin 0.10.3 Aggregate API resource_aggregate.go goqu.L column/group/order sql injection]
Points20

PreviousOverviewNext

Might our Artificial Intelligence support you?

Check our Alexa App!