mirror of
https://github.com/actualbudget/actual.git
synced 2026-07-16 07:04:23 -05:00
[PR #7837] [CLOSED] [WIP] fix(compiler): escape single quotes in $oneof and id literals to prevent SQL injection #126854
Closed
opened 2026-06-14 06:17:53 -05:00 by GiteaMirror
·
0 comments
No Branch/Tag Specified
master
dependabot/npm_and_yarn/npm_and_yarn-cd62b4b37a
api-browser-custom-data-dir
tabedzki/feat/replacing-month-picker-with-day-picker
delay-initial-sync-until-loaded
jfdoming/mobile-app-build
cross-version-sync-compat
jfdoming/api-tokens-part-1
jfdoming/api-tokens-part-2
jfdoming/api-tokens-part-3
jfdoming/mobile-app-updates
claude/budget-version-migration-compat-151jlr
claude/worker-error-serialization-9iqtl7
claude/react-table-library-research-afx83z
claude/issue-8401-regression-test-9nw9l3
jfdoming/mobile-app-foundation-part-1
jfdoming/mobile-app-scaffold
release
ai-fix-cleanup-def-8290
claude/relaxed-shannon-jusywa
claude/fervent-keller-s6f2fq
claude/determined-feynman-st1y9z
claude/wizardly-einstein-vi2wce
claude/sweet-albattani-7nseio
feat/bank-sync-per-budget-file
claude/affectionate-cannon-y0kc82
claude/dependabot-findings-m9pgmb
claude/mac-app-ios-publish-zjs1lz
claude/vigilant-tesla-aiiyos
depot-migrate-secrets-1781296330308
claude/quirky-cerf-v5qck7
claude/animation-removal-alternative-2etfh1
claude/netlify-preview-comments-consolidate-9XPYa
osc/7391-error-boundaries-reports
claude/pensive-dijkstra-7DYui
claude/server-app-version-mismatch-HTCGv
claude/pr-8027-review-feedback-mELuO
claude/zealous-wozniak-e5pO0
claude/intelligent-heisenberg-BSHJq
claude/translation-download-refactor-jFRsO
claude/mobile-performance-ideas-G9PAO
claude/github-issue-7988-5A5ly
blacksmith-migration-ff70d2d
claude/great-mayer-KRvOk
claude/react-native-ios-compilation-fcJh5
claude/serene-goldberg-58xv0
claude/kind-euler-LVG3K
release-automation/edge-nightly
7710-bundle-migrations
claude/fix-docker-build-error-WMfed
claude/llm-compatible-release-notes-t20Nr
7710-tests-tdd
cursor/transaction-table-rewrite-f077
claude/plan-ci-secure-context-OtEe1
claude/fix-issue-7667-DPXi3
cursor/resolve-pr-7449-ee11
claude/fix-typescript-build-error-JPtZ5
copilot/add-repository-configs-to-packages
worktree-compressed-drifting-ritchie
claude/api-consumer-verification-kfz1K
pr-7454
claude/fix-issue-7410-LLLQ4
revert-7281-generate-icons
react-query-useSchedules
copilot/sub-pr-6140
package-upgrades
v26.7.0
v26.6.0
v26.5.2
v26.5.1
v26.5.0
v26.4.0
v26.3.0
v26.2.1
v26.2.0
v26.1.0
v25.12.0
v25.11.0
v25.10.0
v25.9.0
v25.8.0
v25.7.1
v25.7.0
v25.6.1
v25.6.0
v25.5.0
v25.4.0
v25.3.1
v25.3.0
v25.2.1
v25.2.0
v25.1.0
v24.12.0
v24.11.0
v24.10.1
v24.10.0
v24.9.0
v24.8.0
v24.7.0
v24.6.0
v24.5.0
v24.4.0
v24.3.0
v24.2.0
v24.1.0
v23.12.0
v23.11.0
v23.10.0
v23.9.0
v23.8.1
v23.8.0
v23.7.2
v23.7.1
v23.7.0
v23.6.0
v23.5.0
v23.4.2
v23.4.1
v23.4.0
v23.3.2
v23.3.0
v23.2.9
v23.2.5
v23.1.12
v22.12.9
Labels
Clear labels
AI generated
API
bank sync
budgeting
bug
can’t replicate
dependencies
docker
documentation
electron
experimental feature
feature
feedback
goal templates
good first issue
help wanted
importers
maintenance
needs info
needs testing
needs triage
needs votes
openid
payees
pull-request
regression
reports
responsive
rules
schedules
server
✨ merged
split transactions
tech debt
tech-support
theme
transaction import
transaction reconciliation
transactions
translations
upstream
user interface
✅ approved
wontfix
Mirrored from GitHub Pull Request
No Label
pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/actual#126854
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/actualbudget/actual/pull/7837
Author: @sebastiondev
Created: 5/14/2026
Status: ❌ Closed
Base:
master← Head:fix/cwe89-compiler-oneof-41f8📝 Commits (1)
d75633dfix: escape single quotes in $oneof SQL values and id literals to prevent SQL injection📊 Changes
1 file changed (+2 additions, -2 deletions)
View changed files
📝
packages/loot-core/src/server/aql/compiler.ts(+2 -2)📄 Description
Description
This PR fixes a SQL injection vulnerability (CWE-89) in the AQL query compiler. Two code paths in
packages/loot-core/src/server/aql/compiler.tsinterpolate user-supplied values into SQL strings without escaping single quotes:val()function,idliteral branch (line 343): When an expression hastype === 'id'andliteral === true, its value is placed directly into a SQL string as'${castedExpr.value}'— without any escaping. The adjacentstringliteral branch (line 346) already escapes quotes with.replace(/'/g, "''"), but this was missing foridliterals.$oneofoperator (line 720): The array of IDs passed to the$oneof/IN (...)clause is interpolated as'${String(id)}'per element — again without escaping single quotes.In both cases, a value containing a single quote (e.g.,
O'Malleyor a crafted payload like'; DROP TABLE ...--) breaks out of the SQL string literal. Theapi/queryendpoint accepts arbitrary AQL queries from authenticated API consumers, making these paths reachable with user-controlled input. In multiuser deployments, authenticated users are not necessarily trusted administrators.Related issue(s)
N/A — submitting fix directly.
Testing
Verified the fix by inspecting the generated SQL output for both code paths:
idliteral value oftest'valnow produces'test''val'instead of'test'val'.$oneofarray containing["abc", "x'y"]now producesIN ('abc','x''y')instead ofIN ('abc','x'y').stringliterals at line 347, so it is consistent with the existing codebase conventions.Reproduction (PoC):
An authenticated API consumer can send a query like:
Before this fix, the generated SQL would be:
The injected single quote closes the SQL string literal, allowing arbitrary SQL to execute. After this fix, the quote is doubled:
This keeps the entire value inside the string literal, neutralizing the injection.
The same issue applies to
idliterals — any query path that produces{type: 'id', literal: true, value: <user-input>}would be vulnerable.Adversarial review: Before submitting, we considered whether this is actually exploitable. The key question was whether user input can reach these code paths. It can — the
api/queryendpoint accepts arbitrary AQL filter expressions from authenticated clients, and both the$oneofoperator andid-typed literal values flow directly to the vulnerable interpolation without sanitization. We also verified that the underlying database layer (better-sqlite3) does not independently escape these values, since they are baked into the SQL string before the query is executed, not passed as bound parameters.Checklist
Release notes: Security: Fix SQL injection in AQL query compiler — escape single quotes in
$oneofIDs andidliteral values to prevent SQL injection via the query API.Submitted by Sebastion — autonomous open-source security research from Foundation Machines. Free for public repos via the Sebastion AI GitHub App.
Bundle Stats
View detailed bundle stats
desktop-client
Total
Changeset
locale/en.jsonView detailed bundle breakdown
Added
No assets were added
Removed
No assets were removed
Bigger
Smaller
No assets were smaller
Unchanged
loot-core
Total
Changeset
home/runner/work/actual/actual/packages/loot-core/src/server/aql/compiler.tsView detailed bundle breakdown
Added
Removed
Bigger
No assets were bigger
Smaller
No assets were smaller
Unchanged
No assets were unchanged
api
Total
Changeset
home/runner/work/actual/actual/packages/loot-core/src/server/aql/compiler.tsView detailed bundle breakdown
Added
No assets were added
Removed
No assets were removed
Bigger
Smaller
No assets were smaller
Unchanged
cli
Total
View detailed bundle breakdown
Added
No assets were added
Removed
No assets were removed
Bigger
No assets were bigger
Smaller
No assets were smaller
Unchanged
crdt
Total
View detailed bundle breakdown
Added
No assets were added
Removed
No assets were removed
Bigger
No assets were bigger
Smaller
No assets were smaller
Unchanged
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.