The telemetry aggregation API accepts user-controlled aggregationType, aggregateColumnName, and aggregationTimestampColumnName parameters and interpolates them directly into ClickHouse SQL queries via the .append() method (documented as "trusted SQL"). There is no allowlist, no parameterized query binding, and no input validation. An authenticated user can inject arbitrary SQL into ClickHouse, enabling full database read (including telemetry data from all tenants), data modification, and potential remote code execution via ClickHouse table functions.
Entry Point — Common/Server/API/BaseAnalyticsAPI.ts:88-98, 292-296:
The POST /{modelName}/aggregate route deserializes aggregateBy directly from the request body:
// BaseAnalyticsAPI.ts:292-296
const aggregateBy: AggregateBy<TBaseModel> = JSONFunctions.deserialize(
req.body["aggregateBy"]
) as AggregateBy<TBaseModel>;
No schema validation is applied to aggregateBy. The object flows directly to the database service.
No Validation — Common/Server/Services/AnalyticsDatabaseService.ts:276-278:
// AnalyticsDatabaseService.ts:276-278
if (aggregateBy.aggregationType) {
// Only truthiness check — no allowlist
}
The aggregationType field is only checked for existence, never validated against an allowed set of values (e.g., AVG, SUM, COUNT).
Raw SQL Injection — Common/Server/Utils/AnalyticsDatabase/StatementGenerator.ts:527:
// StatementGenerator.ts:527
statement.append(
`${aggregationType}(${aggregateColumnName}) as aggregationResult`
);
The .append() method on Statement (at Statement.ts:149-151) is documented as accepting trusted SQL and performs raw string concatenation:
// Statement.ts:149-151
public append(text: string): Statement {
this.query += text; // Raw concatenation — "trusted SQL"
return this;
}
Similarly, aggregationTimestampColumnName...
10.0.23Exploitability
AV:NAC:LPR:LUI:NScope
S:CImpact
C:HI:HA:H9.9/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H