javascript.sequelize.security.audit.sequelize-raw-query.sequelize-raw-query

profile photo of semgrepsemgrep
Author
3,206
Download Count*
LGPL Commons Clause
License

Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. Data replacement or data binding should be used. See https://sequelize.org/master/manual/raw-queries.html

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: sequelize-raw-query
    message: "Avoiding SQL string concatenation: untrusted input concatenated with
      raw SQL query can result in SQL Injection. Data replacement or data
      binding should be used. See
      https://sequelize.org/master/manual/raw-queries.html"
    metadata:
      category: security
      technology:
        - sequelize
      cwe:
        - "CWE-89: Improper Neutralization of Special Elements used in an SQL
          Command ('SQL Injection')"
      owasp:
        - A01:2017 - Injection
        - A03:2021 - Injection
      references:
        - https://sequelize.org/master/manual/raw-queries.html
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: HIGH
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - SQL Injection
    languages:
      - javascript
      - typescript
    severity: WARNING
    pattern-either:
      - pattern: |
          $DATABASE.sequelize.query(`...${...}...`, ...)
      - pattern: |
          $QUERY = `...${...}...`
          ...
          $DATABASE.sequelize.query($QUERY, ...)
      - pattern: |
          $DATABASE.sequelize.query($SQL + $VALUE, ...)
      - pattern: |
          $QUERY = $SQL + $VALUE
          ...
          $DATABASE.sequelize.query($QUERY, ...)

Examples

sequelize-raw-query.js

// Case1: run query by string concatenation using template literals
// ruleid: sequelize-raw-query
db.sequelize.query(
  `INSERT INTO user (username, password) VALUES('${username}','${password}')`
)

// Case 2: Build query by string concatenation using template literals
// ruleid: sequelize-raw-query
var query = `INSERT INTO user (username, password) VALUES('${username}','${password}')`
console.log("check password");
db.sequelize.query(query)


// Case 3: run query by string concatenation using + operator
// ruleid: sequelize-raw-query
db.sequelize.query(
  "INSERT INTO user (username, password) VALUES('" + username + "','" + password + "')"
)

// Case 4: Build query by string concatenation using + operator
// ruleid: sequelize-raw-query
var query = "INSERT INTO user (username, password) VALUES('" + username + "','" + password + "')"
console.log("check password");
db.sequelize.query(query)