NocoDB: Postgres SQL Injection in Formula `ARRAYSORT`

Summary

An authenticated user with columnAdd permission on a Postgres-backed base can inject arbitrary SQL into the formula engine via the optional direction argument of ARRAYSORT(...). The value is unrestricted by formula validation and embedded into a knex.raw ORDER BY clause, executing during column creation and on every subsequent record read of the formula column.

Details

The vulnerability is specific to the Postgres mapping for ARRAYSORT in packages/nocodb/src/db/functionMappings/pg.ts. Two factors combine:

1. ARRAYSORT declares only argument count, not validation.args.type, so validate-extract-tree.ts does not enforce an allowlist on the second argument.
2. The Postgres mapping then passes the attacker-controlled value through sanitize(knex.raw(...)) into a raw SQL fragment:

const direction = pt.arguments[1]
  ? sanitize(
      knex.raw(pt.arguments[1]?.value ?? (await fn(pt.arguments[1])).builder),
    )
  : knex.raw('asc');

return {
  builder: knex.raw(`ARRAY(SELECT UNNEST(??) ORDER BY 1 ??)`, [source, direction]),
};

sanitize() in sqlSanitize.ts only escapes ? placeholder characters; it does not validate SQL syntax. A payload such as "desc, (SELECT COUNT(*) FROM generate_series(1,30000000))" is accepted, persisted, and re-executed on every read of the formula column.

Impact

• Authenticated SQL injection against Postgres-backed bases.
• Requires columnAdd permission (creator/owner-level).
• Proven impact: attacker-controlled heavy SQL causing multi-second query stalls (DoS).
• Potentially extendable to broader SQL injection outcomes depending on database permissions and deployment hardening.
• Limited to Postgres backends.

Credit

This issue was reported by @leduckhuong.