Reputation: 439
Sequelize where option sql injection?
Is the following sequelize call vulnerable for sql injection?
var dataDirectlyFromTheUserWithoutValidation = req.query.filter
Record.findAll({where: dataDirectlyFromTheUserWithoutValidation})
Upvotes: 4
Views: 1999
Answers (1)
Reputation: 8735
Yes, for versions below 4.
The library contains a comment in the source code of the SELECT query composition that states,
If you use a string, you have to escape it on your own.
Sequelize inserts the values of an options.where hash unescaped and unparametrized into a string that gets executed by the destination engine (I checked it only for MSSQL).
So callers need to take care they sanitize any user input to mitigate a possible sql injection vulnerability in their applications.
Authors claim to have addressed this vulnerability starting from v4. Other vulnerbilities in connection with ORDER and LIMIT clauses have already been addressed starting from v3.16.
Upvotes: 1
Related Questions
- Sequelize optional where clause parameters?
- Sequelize: SQL Injection with sequelize.query
- Sequelize nested where clause from corresponding SQL
- Sequelize: multiple where clause
- Sequelize Include with Where Condition
- Convert MySQL "where" to Sequelizejs "where"
- sequelize where on assosiated model
- Sequelize error when using sequelize.fn in where clause
- sequlizejs WHERE `where` in query
- Sequelize where statement foreign table