# humand-main-api — Multiple SQL injection candidates via unsafe `Sequelize.literal` interpolation STATUS: DRAFT program: humand | platform: huntr | repo: HumandDev/humand-main-api | commit: bb975d08cc ```` Repository URL: https://github.com/HumandDev/humand-main-api Package Manager: npm CVSS: Attack Vector: Network Title: humand-main-api — Multiple SQL injection candidates via unsafe `Sequelize.literal` interpolation Description: ## huntr Form Fields ``` Package Manager: npm Version Affected: latest (commit bb975d08cc) Vulnerability Type: SQL Injection CVSS: Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High Title: Multiple Sequelize.literal callsites interpolate dynamic values into raw SQL ``` ### Description # Description The codebase contains several `Sequelize.literal()` callsites where dynamic variables are interpolated directly into SQL fragments. While some inputs may be partially validated upstream, the pattern creates repeated SQLi risk and future bypass potential. Notable callsites: 1. `cursorPagination.ts` — interpolates sort direction into literal ORDER BY expression. 2. `forms.ts` — interpolates `valueToIncrement` into arithmetic SQL literal. 3. `slas.ts` — interpolates percentage value into HAVING/WHERE clauses. 4. `taskDAO.ts` — interpolates `courseId` into subquery literal. Any validation gap, cast mismatch, or alternate code path can turn these into exploitable SQL injection vectors. # Proof of Concept 1. Identify API path that flows user-controlled values into one of the listed literal builders. 2. Supply malformed value containing SQL syntax (quotes/operators/comments). 3. Observe SQL parser errors, timing anomalies (`pg_sleep`), or altered record selection. Example conceptual payloads: ```text sortDir=DESC NULLS LAST, (SELECT pg_sleep(5))-- valueToIncrement=1); UPDATE users SET role='admin' WHERE id=...;-- ``` Expected vulnerable behavior: interpolated value reaches raw SQL literal without parameter binding. ### Impact If any candidate is reachable with insufficient validation, attackers can execute arbitrary SQL read/write operations, bypass tenant isolation, and alter critical data. ### Occurrences ``` Permalink: https://github.com/HumandDev/humand-main-api/blob/bb975d08cc/src/api/modules/users/business/util/cursorPagination.ts#L67 Description: ORDER BY literal interpolates dynamic sort direction Permalink: https://github.com/HumandDev/humand-main-api/blob/bb975d08cc/src/api/modules/forms/business/services/forms.ts#L1518 Description: position increment uses Sequelize.literal with interpolated numeric expression Permalink: https://github.com/HumandDev/humand-main-api/blob/bb975d08cc/src/api/modules/users/business/services/slas.ts#L146-L160 Description: HAVING/WHERE clauses use interpolated percentage literal fragments Permalink: https://github.com/HumandDev/humand-main-api/blob/bb975d08cc/src/api/modules/task/repositories/taskDAO.ts#L45 Description: task query embeds dynamic courseId in SQL literal ``` ### References ``` URL: https://cwe.mitre.org/data/definitions/89.html Name: CWE-89: SQL Injection URL: https://sequelize.org/docs/v6/core-concepts/model-querying-basics/ Name: Sequelize querying and replacements URL: https://owasp.org/www-community/attacks/SQL_Injection Name: OWASP SQL Injection ``` ````