javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli

Author
unknown
Download Count*
License
Detected SQL statement that is tainted by $EVENT
object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, used parameterized queries or prepared statements instead. You can use parameterized statements like so: sequelize.query('SELECT * FROM projects WHERE status = ?', { replacements: ['active'], type: QueryTypes.SELECT });
Run Locally
Run in CI
Defintion
rules:
- id: sequelize-sqli
message: "Detected SQL statement that is tainted by `$EVENT` object. This could
lead to SQL injection if the variable is user-controlled and not properly
sanitized. In order to prevent SQL injection, used parameterized queries
or prepared statements instead. You can use parameterized statements like
so: `sequelize.query('SELECT * FROM projects WHERE status = ?', {
replacements: ['active'], type: QueryTypes.SELECT });`"
metadata:
references:
- https://sequelize.org/master/manual/raw-queries.html
category: security
owasp:
- A01:2017 - Injection
- A03:2021 - Injection
cwe:
- "CWE-89: Improper Neutralization of Special Elements used in an SQL
Command ('SQL Injection')"
technology:
- aws-lambda
- sequelize
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: MEDIUM
impact: HIGH
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
languages:
- javascript
- typescript
severity: WARNING
mode: taint
pattern-sources:
- patterns:
- pattern-either:
- pattern-inside: |
exports.handler = function ($EVENT, ...) {
...
}
- pattern-inside: |
function $FUNC ($EVENT, ...) {...}
...
exports.handler = $FUNC
- pattern-inside: |
$FUNC = function ($EVENT, ...) {...}
...
exports.handler = $FUNC
- pattern: $EVENT
pattern-sinks:
- patterns:
- pattern: $QUERY
- pattern-either:
- pattern-inside: $DB.query($QUERY, ...)
- pattern-either:
- pattern-inside: |
require('sequelize')
...
- pattern-inside: |
import 'sequelize'
...
Examples
sequelize-sqli.js
let response;
const prettyPrint = (ob) => JSON.stringify(ob, null, 2).replace('\'','');
const timestamp = () => new Date();
const toBase64 = (msg) => Buffer.from(msg).toString('base64');
const { Sequelize } = require('sequelize');
exports.handler = async function (event, context) {
console.log(event);
const sequelize = new Sequelize('postgres://user:pass@example.com:5432/dbname')
records = [];
event.Records.forEach((record) => {
const { body } = record;
records.push(toBase64(body));
});
const query = `INSERT INTO public.messages (body, encoded_message) VALUES ('${JSON.stringify(event)}', '${records[0]}');`;
console.log(query);
try {
// ruleid: sequelize-sqli
await sequelize.query(query)
// ok: sequelize-sqli
await sequelize.query(
'SELECT * FROM projects WHERE status = :status',
{
replacements: { status: 'active' },
type: QueryTypes.SELECT
}
);
} catch (error) {
console.log(error);
}
return { key: JSON.stringify(records) };
};
Short Link: https://sg.run/DAlP