fix(arangoDBPlugin): prevent AQL injection via unsafe string concatenation

[subrata71]

Description

Fixes an AQL (ArangoDB Query Language) injection vulnerability in the ArangoDB plugin where user-provided inputs (collection names, filter keys, and values) were concatenated directly into query strings without sanitization or parameter binding.

TL;DR: The StructureUtils class constructed AQL queries via unsafe string concatenation, allowing attackers to manipulate query structure and execute arbitrary AQL commands. This fix introduces proper escaping for string literals and backtick-quoting for collection names.

Vulnerability Details

The methods generateSelectTemplate, generateCreateTemplate, generateUpdateTemplate, generateRemoveTemplate, and getOneDocumentQuery in StructureUtils.java were vulnerable to AQL injection. For example:

// Before (vulnerable):
String rawQuery = "FOR document IN " + collectionName + "\n"
    + "FILTER document._key == \"" + filterValue + "\"\n"
    + "RETURN document";

An attacker controlling filterValue (e.g., " OR 1==1 RETURN document //) could force the query to return all documents.

Fix

1. sanitizeCollectionName() - Backtick-quotes collection names for safe AQL identifier inclusion, escaping internal backticks by doubling them per AQL quoting rules.
2. escapeAqlStringLiteral() - Escapes \, ", \n, \r in string values for safe inclusion within double-quoted AQL string literals.
3. Both methods are applied to all five vulnerable query construction points.

Advisory

• GHSA: GHSA-7mv3-55hh-pp69
• CVSS: 8.8 (High)
• Impact: AQL Injection leading to potential data exfiltration, data manipulation, and denial of service.

Fixes https://linear.app/appsmith/issue/APP-15027/aql-injection-in-arangodb-plugin-via-unsafe-string-concatenation

Automation

/ok-to-test tags="@tag.All"

🔍 Cypress test results

Tip

🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
Workflow run: https://github.com/appsmithorg/appsmith/actions/runs/23336206945
Commit: 9d43228
Cypress dashboard.
Tags: @tag.All
Spec:

---

Fri, 20 Mar 2026 10:21:45 UTC

Communication

Should the DevRel and Marketing teams inform users about this change?

• Yes
• No

  

Summary by CodeRabbit

• Bug Fixes

  • Enhanced ArangoDBPlugin security by implementing input sanitization to prevent injection vulnerabilities in database queries.

• Tests

  • Added comprehensive test coverage verifying proper handling of malicious inputs and edge cases in the ArangoDBPlugin.

[coderabbitai]

Walkthrough

The ArangoDB plugin now sanitizes collection names and string filter values in AQL query construction through two new helper methods, treating untrusted inputs as potentially malicious and escaping them to prevent injection attacks.

Changes

Cohort / File(s)	Summary
Security Sanitization app/server/appsmith-plugins/arangoDBPlugin/src/main/java/com/external/utils/StructureUtils.java	Added sanitizeCollectionName() and escapeAqlStringLiteral() helper methods to escape backticks, quotes, backslashes, and control characters. Updated Select, Create, Update, Remove, and getOneDocumentQuery() methods to use these sanitization functions instead of raw string concatenation.
Test Coverage app/server/appsmith-plugins/arangoDBPlugin/src/test/java/com/external/utils/StructureUtilsTest.java	Added comprehensive JUnit 5 test suite with 15 test methods validating sanitization of normal inputs, null handling, embedded backticks, AQL injection attempts, and correct query generation across Select/Create/Update/Delete templates.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🛡️ With backticks doubled and quotes escaped clean,
The queries flow safe—no injections between,
Collection names tamed, filter values secure,
ArangoDB's defenses now sturdier, sure! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 9.09% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: fixing an AQL injection vulnerability through safer string handling in the ArangoDB plugin.
Description check	✅ Passed	The PR description is comprehensive and addresses all key template requirements including issue linkage, detailed vulnerability context, fix explanation, and communication decision.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cursor/arangodb-aql-injection-9b93

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[linear]

APP-15027 AQL Injection in ArangoDB Plugin via Unsafe String Concatenation