# Description
SQL injection exists in the camptocamp/terraboard.
Among all APIs there is an API routed to `/api/search/attribute`, whose corresponding method is [api.SearchAttribute](https://github.com/camptocamp/terraboard/blob/master/api/api.go#L228). In the [api.SearchAttribute](https://github.com/camptocamp/terraboard/blob/master/api/api.go#L228) method, the program takes the request parameters and passes them into the [db.SearchAttribute](https://github.com/camptocamp/terraboard/blob/11e729391bb2d576fcd5fc18631ff3fbc3b18d2d/db/db.go#L323) method. In the [db.SearchAttribute](https://github.com/camptocamp/terraboard/blob/11e729391bb2d576fcd5fc18631ff3fbc3b18d2d/db/db.go#L323) method, when the request parameter `tf_version` or `lineage_value` is set, the program executes up to line [373](https://github.com/camptocamp/terraboard/blob/11e729391bb2d576fcd5fc18631ff3fbc3b18d2d/db/db.go#L373) or [377](https://github.com/camptocamp/terraboard/blob/11e729391bb2d576fcd5fc18631ff3fbc3b18d2d/db/db.go#L377). In these two lines, the program is dynamically splicing strings, which may lead to SQL injection.
As an example, part of the code on line 373 is as follows.
“`go
fmt.Sprintf(“states.tf_version LIKE ‘%s'”, fmt.Sprintf(“%%%s%%”, v))
“`
where the variable `v` is the request parameter `tf_version`, which is user controllable. When the variable `v` is the following string.
“`go
v := “‘ OR pg_sleep(10) OR states.tf_version LIKE ‘%”
“`
The sql statement will then change to `”states.tf_version LIKE ‘%’ OR pg_sleep(10) OR states.tf_version LIKE ‘%%'”`, This will cause pgsql to execute the `pg_sleep`function. Replacing `pg_sleep` with another statement will lead to more serious consequences.
# Proof of Concept
Try executing the following `curl` command which should have the effect of the request taking 10 seconds to get a response. Where `$DEMO_URL` is the address and port of the APP.
“`shell
curl “https://${DEMO_URL}/api/search/attribute?tf_version=’+OR+pg_sleep(10)+OR+states.tf_version+LIKE+’%”
“`