Affected version: 26.4.2 (confirmed still present in 26.5.1)
Component: com.arcadedb.remote.RemoteVertex (arcadedb-network)
Summary
newEdge(...) builds the CREATE EDGE … SET prop = 'value' … SQL by concatenating property values with no escaping. A value containing a single quote (O'Brien) breaks the query; a malicious value injects arbitrary SQL against the remote server.
Code
network/com/arcadedb/remote/RemoteVertex.java:212–230
for (int i = 0; i < properties.length; i += 2) {
final String propName = (String) properties[i];
final Object propValue = properties[i + 1];
…
if (propValue instanceof String) query.append("'");
query.append(propValue);
if (propValue instanceof String) query.append("'");
}Impact
SQL injection via any user-supplied property value passed through vertex.newEdge(type, target, "name", userInput). Non-malicious users also get hard-to-diagnose parse errors on names with apostrophes.
Suggested fix
Use the existing parameter-binding path (SET prop = :p0, … + parameter map) through databaseCommand.
Affected version: 26.4.2 (confirmed still present in 26.5.1)
Component:
com.arcadedb.remote.RemoteVertex(arcadedb-network)Summary
newEdge(...)builds theCREATE EDGE … SET prop = 'value' …SQL by concatenating property values with no escaping. A value containing a single quote (O'Brien) breaks the query; a malicious value injects arbitrary SQL against the remote server.Code
network/com/arcadedb/remote/RemoteVertex.java:212–230Impact
SQL injection via any user-supplied property value passed through
vertex.newEdge(type, target, "name", userInput). Non-malicious users also get hard-to-diagnose parse errors on names with apostrophes.Suggested fix
Use the existing parameter-binding path (
SET prop = :p0, …+ parameter map) throughdatabaseCommand.