Impact
Description
SQLBot contains a Cross-Workspace IDOR (Insecure Direct Object Reference) and Authorization Bypass vulnerability in the /api/v1/datasource/exportDsSchema and /api/v1/datasource/uploadDsSchema endpoints. An attacker can access and modify database schemas and data sources belonging to other tenants/workspaces.
The core weakness lies in two pieces of code in the backend:
Flaw 1: Critical interfaces missing authorization decorators
In backend/apps/datasource/api/datasource.py, the core API interfaces handling data source export and upload completely lack the @require_permissions decorator. While backend/main.py combined with middleware ensures the request has a valid authenticated Token, it only guarantees "logged-in" status and fails to verify workspace ownership (oid) for the targeted Data Source (ds_id).
Flaw 2: Pydantic > 2.0 model instantiation truncates permission fields
In interfaces like choose_tables and update, the application attempts to perform permission checks by instantiating models:
SqlbotPermission(..., permission=SqlbotPermission(...))
Since the system upgraded to pydantic>2.0, any undeclared or extra authorization fields passed during model construction are completely "swallowed/ignored". The SqlbotPermission class only declares role, type, and keyExpression. As a result, critical fine-grained resource indicators (workspace context, etc.) are lost. The decorator thus only checks the basic role and bypasses workspace ownership verification completely, leading to a critical Cross-Workspace Data Tampering IDOR.
Impact
This vulnerability allows any authenticated user (even from a newly created organization) to access or tamper with data sources belonging to other tenants. Confirmed material impacts include:
-
Sensitive Data Exfiltration: Attacker can export (download) arbitrary database schemas belonging to other users/corporations.
-
Cross-Workspace Data Tampering: Attacker can update metadata or connection details of databases that belong to other organizations workspace.
POC
Prerequisites
The target server hosts an accessible SQLBot network service.
A valid regular user account (user1 in Workspace OID: 1) and understanding of the victim's Data Source ID (Target DS_ID: 4, strictly bound to Workspace OID: 2).
Steps to Reproduce
- Execute the Exploit Script
Launch the attack against the target using the PoC script which automatically logs in as the attacker (user1) and exploits the IDOR to export user2's data source:
python3 test_idor_playwright.py
- Verify data exfiltration results
The server does not validate the workspace_oid and processes the request successfully, downloading user2's employee_salaries internal schema.
Using Playwright sniffing to get user1 token...
Token acquired! Length: 180
----------------------------------------
Malicious actor: user1 (Workspace OID: 1)
Target DS_ID: 4 (Strictly bound to Workspace OID: 2)
[VULNERABILITY CONFIRMED] IDOR Successful! Returned status: 200 OK
Response size: 6124 bytes of Excel data downloaded.
Parsing downloaded Excel file:
Sheets found: ['数据表列表', 'Sheet0']
--- Content of 数据表列表 ---
Sheet名称 表名 表备注
0 Sheet0 Q1_Secret_Financials_REAL CONFIDENTIAL Q1 REVENUE - DO NOT LEAK
--- Content of Sheet0 ---
字段名 字段备注
0 total_revenue Total Revenue Amount (USD)
1 ceo_bonus CEO Target Bonus
Affected versions
< v1.8.0
Patches
The vulnerability has been fixed in v1.8.0.
Workarounds
It is recommended to upgrade the version to v1.8.0.
References
If you have any questions or comments about this advisory:
Open an issue in https://github.com/dataease/sqlbot
Email us at [email protected]
Impact
Description
SQLBot contains a Cross-Workspace IDOR (Insecure Direct Object Reference) and Authorization Bypass vulnerability in the /api/v1/datasource/exportDsSchema and /api/v1/datasource/uploadDsSchema endpoints. An attacker can access and modify database schemas and data sources belonging to other tenants/workspaces.
The core weakness lies in two pieces of code in the backend:
Flaw 1: Critical interfaces missing authorization decorators
In backend/apps/datasource/api/datasource.py, the core API interfaces handling data source export and upload completely lack the @require_permissions decorator. While backend/main.py combined with middleware ensures the request has a valid authenticated Token, it only guarantees "logged-in" status and fails to verify workspace ownership (oid) for the targeted Data Source (ds_id).
Flaw 2: Pydantic > 2.0 model instantiation truncates permission fields
In interfaces like choose_tables and update, the application attempts to perform permission checks by instantiating models:
Since the system upgraded to pydantic>2.0, any undeclared or extra authorization fields passed during model construction are completely "swallowed/ignored". The SqlbotPermission class only declares role, type, and keyExpression. As a result, critical fine-grained resource indicators (workspace context, etc.) are lost. The decorator thus only checks the basic role and bypasses workspace ownership verification completely, leading to a critical Cross-Workspace Data Tampering IDOR.
Impact
This vulnerability allows any authenticated user (even from a newly created organization) to access or tamper with data sources belonging to other tenants. Confirmed material impacts include:
Sensitive Data Exfiltration: Attacker can export (download) arbitrary database schemas belonging to other users/corporations.
Cross-Workspace Data Tampering: Attacker can update metadata or connection details of databases that belong to other organizations workspace.
POC
Prerequisites
The target server hosts an accessible SQLBot network service.
A valid regular user account (user1 in Workspace OID: 1) and understanding of the victim's Data Source ID (Target DS_ID: 4, strictly bound to Workspace OID: 2).
Steps to Reproduce
Launch the attack against the target using the PoC script which automatically logs in as the attacker (user1) and exploits the IDOR to export user2's data source:
The server does not validate the workspace_oid and processes the request successfully, downloading user2's employee_salaries internal schema.
Affected versions
< v1.8.0
Patches
The vulnerability has been fixed in v1.8.0.
Workarounds
It is recommended to upgrade the version to v1.8.0.
References
If you have any questions or comments about this advisory:
Open an issue in https://github.com/dataease/sqlbot
Email us at [email protected]