Summary The OrderAndPaginate function is used to order and paginate data. It is defined as follows: “`go func OrderAndPaginate(c gin.Context) func(db gorm.DB) gorm.DB { return func(db gorm.DB) *gorm.DB { sort := c.DefaultQuery("order", "desc") order := fmt.Sprintf("`%s` %s", DefaultQuery(c, "sort_by", "id"), sort) db = db.Order(order) … } } By using [`DefaultQuery`](https://github.com/0xjacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/model/model.go#L278-L287), the `"desc"` and `"id"` values are used as default values if the query parameters are not set. Thus, the `order` and `sort_by` query parameter are user-controlled and are being appended to the `order` variable without any sanitization. The same happens with [`SortOrder`](https://github.com/0xjacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/model/model.go#L91), but it doesn't seem to be used anywhere.go func SortOrder(c gin.Context) func(db gorm.DB) gorm.DB { return func(db gorm.DB) *gorm.DB { sort := c.DefaultQuery("order", "desc") order := fmt.Sprintf("%s %s", DefaultQuery(c, "sort_by", "id"), sort) return db.Order(order) } } “` This issue was found using CodeQL for Go: Database query built from user-controlled sources. Proof of Concept Based on this setup using uozi/nginx-ui:v2.0.0-beta.7. In order to exploit this issue, we need to find a place where the OrderAndPaginate function is used. We can find it in the GET…Read More