Sequelize where option sql injection?

Is the following sequelize call vulnerable for sql injection?

var dataDirectlyFromTheUserWithoutValidation = req.query.filter 
Record.findAll({where: dataDirectlyFromTheUserWithoutValidation})

1 answer

  • answered 2018-10-09 16:41 dlatikay

    Yes, for versions below 4.

    The library contains a comment in the source code of the SELECT query composition that states,

    If you use a string, you have to escape it on your own.

    Sequelize inserts the values of an options.where hash unescaped and unparametrized into a string that gets executed by the destination engine (I checked it only for MSSQL).

    So callers need to take care they sanitize any user input to mitigate a possible sql injection vulnerability in their applications.

    Authors claim to have addressed this vulnerability starting from v4. Other vulnerbilities in connection with ORDER and LIMIT clauses have already been addressed starting from v3.16.