| عنوان | QuantumNous new-api 0.12.1 Improper Neutralization of Data Query Logic (CWE-943) |
|---|
| الوصف | # Technical Details
A SQL LIKE wildcard injection vulnerability exists in the TopUp search path of new-api. User-controlled keyword input is concatenated directly into a LIKE pattern without escaping wildcard metacharacters (`_`, `%`). Any authenticated user can alter matching semantics through `/api/user/topup/self`, and repeated wildcard-heavy requests can amplify database query workload. This is a narrow-fix variant: token/log search paths were hardened with `sanitizeLikePattern(...)`, but TopUp search was left unpatched.
# Vulnerable Code
File: `model/topup.go` and `controller/topup.go`
Method: `SearchUserTopUps`
Why: The controller receives attacker input via `keyword := c.Query("keyword")`, which is then passed to the model sink building the SQL LIKE unsafely: `like := "%%" + keyword + "%%"; query = query.Where("trade_no LIKE ?", like)`. There is missing normalization/escaping of SQL LIKE special characters in TopUp search, leaving `_` and `%` to be evaluated as semantic database operators.
# Reproduction
1. Setup a vulnerable instance using `docker-compose.yml` running `calciumion/new-api:latest`.
2. Start the environment: `docker compose up -d`
3. Save the exploit script `poc_exploit.py` which creates top ups and uses wildcard keywords like `trade_no[:-1]_`.
4. Save the control script `control-normal_keyword.py` to test exact vs control matching.
5. Execute the test scripts: `python3 poc_exploit.py --base-url http://127.0.0.1:13000`. The exploit retrieves an unintended match behavior in the TopUp order search verifying wildcard evaluation.
# Impact
- Unintended match behavior in TopUp order search via wildcard metacharacters.
- Potential query amplification and increased database workload via wildcard-heavy search patterns under concurrency (DoS-style degradation).
- Query integrity expectations are broken as literal search is no longer guaranteed when wildcards are unescaped. |
|---|
| المصدر | ⚠️ https://gist.github.com/YLChen-007/92b68016a191180ed12e3e69bd20c066 |
|---|
| المستخدم | Eric-e (UID 97581) |
|---|
| ارسال | 24/04/2026 02:16 PM (1 شهر منذ) |
|---|
| الاعتدال | 22/05/2026 08:03 PM (28 days later) |
|---|
| الحالة | مكرر |
|---|
| إدخال VulDB | 365252 [QuantumNous new-api حتى 0.12.1 self Endpoint model/topup.go SearchUserTopUps/SearchAllTopUps حقن SQL] |
|---|
| النقاط | 0 |
|---|