NOTE I originally wrote this in a rush hoping that the information provided here would be sufficient to start a conversation. It turned out it was not. Please refer to this comment below for a better explanation (and A DEMO) of the issue: Standard way to prevent formula injections when using AirTable `select` and `filterByFormula` - #15 by Luciano_Mammino
Hello,
When using your APIs to get data dynamically from a table, is there any secure way to handle formulas that need to contain user input data?
How can we avoid a user trying to alter the formula by crafting an injection (like a SQL injection but for your formula language)?
I couldn’t find anything in the docs, nor any utility in your (JavaScript) SDK…
So far I had to come up with my own escape function…
In case you need an example, this is my formula:
{code} = 'someCodePassedByUser'
If the user passes the following code
' >= 0 & '
I end up with
{code} = '' >= 0 & ''
which is always TRUE!
Considering that injections are the 3rd item in the OWASP security top10, I would consider this a VERY BIG SECURITY FLAW for people using airtable as a backend. :skull_and_crossbones: :skull_and_crossbones: :skull_and_crossbones:
You should mention this in the docs and provide a standard way to sanitize user input for formulas.
A function built in the JavaScript SDK would be ideal…