Prevent SQL Injection via Dynamic Templating in Query Engine #25
Description
Description:
The data query engine allows users to write dynamic SQL queries using template variables. If the engine.js resolves template strings and directly concatenates them into raw SQL strings before sending them to the database drivers, the system is vulnerable to SQL injection. This is particularly risky because standard SQL parameterization ($1, ?) does not support dynamic identifiers like table or column names, which users frequently try to template.
Impact:
Complete database compromise, allowing attackers to read, modify, or drop tables from connected PostgreSQL, MySQL, or MSSQL datasources.
Affected Components:
apps/backend/modules/dataQuery/queryEngine/engine.js
packages/datasources-logic/src/data-sources/postgresql/datasource.js (and other SQL adapters)
Suggested Remediation:
Refactor the query execution adapter to strictly map template variables to native parameterized query arguments.
For dynamic table/column identifiers, implement a strict allow-listing mechanism that validates the resolved template value against the known database schema before execution.