Headline
CVE-2023-25813: fix: do not replace `:replacements` inside of strings (#14472) · sequelize/sequelize@ccaa399
Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depending on the specific queries in use. The issue has been fixed in Sequelize 6.19.1. Users are advised to upgrade. Users unable to upgrade should not use the replacements and the where option in the same query.
@@ -0,0 +1,106 @@ import type { Dialect } from '…/…/sequelize.js’; import type { AbstractQuery } from './query.js’;
export declare type DialectSupports = { 'DEFAULT’: boolean; 'DEFAULT VALUES’: boolean; 'VALUES ()': boolean; 'LIMIT ON UPDATE’: boolean; 'ON DUPLICATE KEY’: boolean; 'ORDER NULLS’: boolean; 'UNION’: boolean; 'UNION ALL’: boolean; 'RIGHT JOIN’: boolean; EXCEPTION: boolean; forShare?: ‘LOCK IN SHARE MODE’ | ‘FOR SHARE’ | undefined; lock: boolean; lockOf: boolean; lockKey: boolean; lockOuterJoinFailure: boolean; skipLocked: boolean; finalTable: boolean; returnValues: false | { output: boolean; returning: boolean; }; autoIncrement: { identityInsert: boolean; defaultValue: boolean; update: boolean; }; bulkDefault: boolean; schemas: boolean; transactions: boolean; settingIsolationLevelDuringTransaction: boolean; transactionOptions: { type: boolean; }; migrations: boolean; upserts: boolean; inserts: { ignoreDuplicates: string; updateOnDuplicate: boolean | string; onConflictDoNothing: string; conflictFields: boolean; }; constraints: { restrict: boolean; addConstraint: boolean; dropConstraint: boolean; unique: boolean; default: boolean; check: boolean; foreignKey: boolean; primaryKey: boolean; onUpdate: boolean; }; index: { collate: boolean; length: boolean; parser: boolean; concurrently: boolean; type: boolean; using: boolean | number; functionBased: boolean; operator: boolean; where: boolean; }; groupedLimit: boolean; indexViaAlter: boolean; JSON: boolean; JSONB: boolean; ARRAY: boolean; RANGE: boolean; NUMERIC: boolean; GEOMETRY: boolean; GEOGRAPHY: boolean; REGEXP: boolean; /** * Case-insensitive regexp operator support (‘~*’ in postgres). */ IREGEXP: boolean; HSTORE: boolean; TSVECTOR: boolean; deferrableConstraints: boolean; tmpTableTrigger: boolean; indexHints: boolean; searchPath: boolean; };
export declare abstract class AbstractDialect { /** * List of features this dialect supports. * * Important: Dialect implementations inherit these values. * When changing a default, ensure the implementations still properly declare which feature they support. */ static readonly supports: DialectSupports; readonly defaultVersion: string; readonly Query: typeof AbstractQuery; readonly name: Dialect; readonly TICK_CHAR: string; readonly TICK_CHAR_LEFT: string; readonly TICK_CHAR_RIGHT: string; readonly queryGenerator: unknown; get supports(): DialectSupports; }
Related news
### Impact The SQL injection exploit is related to replacements. Here is such an example: In the following query, some parameters are passed through replacements, and some are passed directly through the `where` option. ```typescript User.findAll({ where: or( literal('soundex("firstName") = soundex(:firstName)'), { lastName: lastName }, ), replacements: { firstName }, }) ``` This is a very legitimate use case, but this query was vulnerable to SQL injection due to how Sequelize processed the query: Sequelize built a first query using the `where` option, then passed it over to `sequelize.query` which parsed the resulting SQL to inject all `:replacements`. If the user passed values such as ```json { "firstName": "OR true; DROP TABLE users;", "lastName": ":firstName" } ``` Sequelize would first generate this query: ```sql SELECT * FROM users WHERE soundex("firstName") = soundex(:firstName) OR "lastName" = ':firstName' ``` Then would inject replacements in it, wh...