4

Is the following sequelize call vulnerable for sql injection?

var dataDirectlyFromTheUserWithoutValidation = req.query.filter 
Record.findAll({where: dataDirectlyFromTheUserWithoutValidation})
Franken
  • 419
  • 1
  • 4
  • 14

1 Answers1

1

Yes, for versions below 4.

The library contains a comment in the source code of the SELECT query composition that states,

If you use a string, you have to escape it on your own.

Sequelize inserts the values of an options.where hash unescaped and unparametrized into a string that gets executed by the destination engine (I checked it only for MSSQL).

So callers need to take care they sanitize any user input to mitigate a possible sql injection vulnerability in their applications.

Authors claim to have addressed this vulnerability starting from v4. Other vulnerbilities in connection with ORDER and LIMIT clauses have already been addressed starting from v3.16.

Cee McSharpface
  • 8,493
  • 3
  • 36
  • 77
  • But above 4.0 it is safe to use without sanitizing/escaping? Warning is still in the source code? – Franken Oct 09 '18 at 17:04
  • [its complicated](https://snyk.io/vuln/npm:sequelize:20150517)... and may [depend on the connected rdbms](https://stackoverflow.com/a/35668730/1132334). warning is still there, but it applies to calls to an internal helper function that is not directly exposed via `findAll`. given the [past history](https://snyk.io/vuln/npm:sequelize:20160106) of discovered and mitigated vulnerabilities, I would really actually backup and send something like "bye');drop table students;--" to a test database. maybe we can attract one of the original authors to weigh in with an expert's statement. – Cee McSharpface Oct 10 '18 at 08:59
  • I thought it was safe to use unescaped strings if it is in the options object. If you do something like `sequelize.query('SELECT * FROM projects WHERE status = something',`, then anything in that string passed to sequelize.query from user would be vulnerable. The query you have Franken is safe as far as I know. – mmmm Oct 11 '21 at 02:25