javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Detected SQL statement that is tainted by $EVENT object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: sequelize.query('SELECT * FROM projects WHERE status = ?', { replacements: ['active'], type: QueryTypes.SELECT });

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: sequelize-sqli
    message: "Detected SQL statement that is tainted by `$EVENT` object. This could
      lead to SQL injection if the variable is user-controlled and not properly
      sanitized. In order to prevent SQL injection, use parameterized queries or
      prepared statements instead. You can use parameterized statements like so:
      `sequelize.query('SELECT * FROM projects WHERE status = ?', {
      replacements: ['active'], type: QueryTypes.SELECT });`"
    metadata:
      references:
        - https://sequelize.org/master/manual/raw-queries.html
      category: security
      owasp:
        - A01:2017 - Injection
        - A03:2021 - Injection
      cwe:
        - "CWE-89: Improper Neutralization of Special Elements used in an SQL
          Command ('SQL Injection')"
      technology:
        - aws-lambda
        - sequelize
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: HIGH
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - SQL Injection
    languages:
      - javascript
      - typescript
    severity: WARNING
    mode: taint
    pattern-sources:
      - patterns:
          - pattern-either:
              - pattern-inside: |
                  exports.handler = function ($EVENT, ...) {
                    ...
                  }
              - pattern-inside: |
                  function $FUNC ($EVENT, ...) {...}
                  ...
                  exports.handler = $FUNC
              - pattern-inside: |
                  $FUNC = function ($EVENT, ...) {...}
                  ...
                  exports.handler = $FUNC
          - pattern: $EVENT
    pattern-sinks:
      - patterns:
          - focus-metavariable: $QUERY
          - pattern-either:
              - pattern: $DB.query($QUERY, ...)
          - pattern-either:
              - pattern-inside: |
                  require('sequelize')
                  ...
              - pattern-inside: |
                  import 'sequelize'
                  ...

Examples

sequelize-sqli.js

let response;

const prettyPrint = (ob) => JSON.stringify(ob, null, 2).replace('\'','');
const timestamp = () => new Date();

const toBase64 = (msg) => Buffer.from(msg).toString('base64');

const { Sequelize } = require('sequelize');
exports.handler = async function (event, context) {
  console.log(event);
  const sequelize = new Sequelize('postgres://user:pass@example.com:5432/dbname')

  records = [];
  event.Records.forEach((record) => {
    const { body } = record;
    records.push(toBase64(body));
  });

  const query = `INSERT INTO public.messages (body, encoded_message) VALUES ('${JSON.stringify(event)}', '${records[0]}');`;
  console.log(query);

  try {
    // ruleid: sequelize-sqli
    await sequelize.query(query)

    // ok: sequelize-sqli
    await sequelize.query(
      'SELECT * FROM projects WHERE status = :status',
      {
        replacements: { status: 'active' },
        type: QueryTypes.SELECT
      }
    );
  } catch (error) {
    console.log(error);
  }

  return { key: JSON.stringify(records) };
};