GHSA-pwqg-q8pg-pp6r HIGH go/github.com/daptin/daptin

CVE: CVE-2026-44349

Summary

processFuzzySearch in server/resource/resource_findallpaginated.go:1484 splits the user-supplied column parameter by comma and interpolates each segment directly into goqu.L(fmt.Sprintf("LOWER(%s) LIKE ?", prefix+col)) raw SQL with no column whitelist check. The entry point is GET /api/<entity> with operator=fuzzy (or fuzzy_any, fuzzy_all). Any authenticated user — including one who self-registered with no admin involvement — can read the entire database.

Details

At resource_findallpaginated.go:1761, when the operator is fuzzy, fuzzy_any, or fuzzy_all, execution routes to processFuzzySearch (line 1763) before processQueryFilter (line 1780). processQueryFilter is the only path that calls GetColumnByName (line 1351), which validates column names against the table schema. The fuzzy branch never reaches that check.

Inside processFuzzySearch (line 1484), filterQuery.ColumnName is split by comma. After strings.TrimSpace (line 1486), each segment is routed to a DB-driver-specific function. The injectable sink reached depends on the driver and the fuzzy_options.fallback_mode field.

SQLite (processFuzzySearchSQLite, lines 1632–1676) uses goqu.L in all code paths — no fallback_mode required:

• goqu.L(fmt.Sprintf("LOWER(%s) LIKE ?", prefix+col), ...) — line 1650/1657

PostgreSQL, MySQL, MSSQL default to goqu.Ex (identifier-quoted, not injectable). The goqu.L sink is only reached when the attacker supplies a specific fuzzy_options.fallback_mode value in the HTTP query JSON:

• PostgreSQL word_boundary mode (line 1540): goqu.L(fmt.Sprintf("%s ~* ?", prefix+col), ...)
• MySQL soundex mode (line 1598): goqu.L(fmt.Sprintf("SOUNDEX(%s) = SOUNDEX(?)", prefix+col), ...)
• MSSQL soundex mode (line 1694): goqu.L(fmt.Sprintf("DIFFERENCE(%s, ?) >= 3", prefix+col), ...)

fuzzy_options is deserialized from the HTTP request at line 243 (json.Unmarshal([]byte(query[0]), &queries)) — it is f

📌 来源: GitHub-Advisory | 🆔 CVE-2026-44349 | 📅 2026-05-06