# humand-main-api — SQL injection in profile field deletion via `Sequelize.literal` STATUS: DRAFT program: humand | platform: huntr | repo: HumandDev/humand-main-api | commit: bb975d08cc ```` Repository URL: https://github.com/HumandDev/humand-main-api Package Manager: npm CVSS: Attack Vector: Network Title: humand-main-api — SQL injection in profile field deletion via `Sequelize.literal` Description: ## huntr Form Fields ``` Package Manager: npm Version Affected: latest (commit bb975d08cc) Vulnerability Type: SQL Injection CVSS: Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High Title: SQL injection via unsanitized profileFieldUUID in Sequelize.literal ``` ### Description # Description The endpoint `DELETE /backoffice/instances/:id/profile-fields/:profileFieldUUID` passes `profileFieldUUID` into a `Sequelize.literal()` expression without escaping or strict UUID validation. Observed vulnerable pattern: ```ts await UserDAO.update( { profileData: Sequelize.literal(`"profileData"-'${profileFieldUUID}'`) }, { where: { instanceId } } ); ``` Route-level validation only checks that `profileFieldUUID` is non-empty and present; it does not enforce UUID format or block SQL metacharacters. Because `Sequelize.literal()` inserts raw SQL, attacker-controlled input in this position can break out of the quoted context and alter SQL semantics. # Proof of Concept 1. Authenticate as a tenant admin with `manageInstance` permission. 2. Send a crafted request to profile-field deletion endpoint with SQL payload in `profileFieldUUID`. 3. Observe generated SQL error behavior and/or side effects proving injection. Example payload: ```http DELETE /backoffice/instances/42/profile-fields/abc'||(SELECT%20pg_sleep(5))||' Authorization: Bearer ``` Alternative data-oriented payload style: ```http DELETE /backoffice/instances/42/profile-fields/x' OR 1=1 -- Authorization: Bearer ``` Expected vulnerable behavior: request processing includes unescaped attacker input in SQL literal and can be made to alter query logic or invoke DB functions. ### Impact A malicious or compromised admin can execute arbitrary SQL primitives against application data. In a multi-tenant environment this can lead to cross-tenant data access, privilege escalation, destructive writes, or broader database compromise. ### Occurrences ``` Permalink: https://github.com/HumandDev/humand-main-api/blob/bb975d08cc/src/api/modules/users/business/services/usersService.ts#L2635-L2638 Description: profileFieldUUID is interpolated directly into Sequelize.literal() Permalink: https://github.com/HumandDev/humand-main-api/blob/bb975d08cc/src/api/modules/users/api/validations/usersValidations.ts#L340-L342 Description: validateProfileFieldUUIDPathParam delegates to generic non-empty path param validation Permalink: https://github.com/HumandDev/humand-main-api/blob/bb975d08cc/src/api/common/validator/index.ts#L13-L23 Description: validatePathParam only checks presence/length, not strict UUID format ``` ### References ``` URL: https://cwe.mitre.org/data/definitions/89.html Name: CWE-89: Improper Neutralization of Special Elements used in an SQL Command URL: https://sequelize.org/docs/v6/other-topics/sub-queries/ Name: Sequelize.literal documentation (raw SQL usage risks) URL: https://owasp.org/www-project-top-ten/2017/A1_2017-Injection Name: OWASP Injection ``` ````