javascript.sequelize.security.audit.sequelize-raw-query.sequelize-raw-query
semgrep
Author
3,206
Download Count*
License
Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. Data replacement or data binding should be used. See https://sequelize.org/master/manual/raw-queries.html
Run Locally
Run in CI
Defintion
rules:
- id: sequelize-raw-query
message: "Avoiding SQL string concatenation: untrusted input concatenated with
raw SQL query can result in SQL Injection. Data replacement or data
binding should be used. See
https://sequelize.org/master/manual/raw-queries.html"
metadata:
category: security
technology:
- sequelize
cwe:
- "CWE-89: Improper Neutralization of Special Elements used in an SQL
Command ('SQL Injection')"
owasp:
- A01:2017 - Injection
- A03:2021 - Injection
references:
- https://sequelize.org/master/manual/raw-queries.html
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- SQL Injection
languages:
- javascript
- typescript
severity: WARNING
pattern-either:
- pattern: |
$DATABASE.sequelize.query(`...${...}...`, ...)
- pattern: |
$QUERY = `...${...}...`
...
$DATABASE.sequelize.query($QUERY, ...)
- pattern: |
$DATABASE.sequelize.query($SQL + $VALUE, ...)
- pattern: |
$QUERY = $SQL + $VALUE
...
$DATABASE.sequelize.query($QUERY, ...)
Examples
sequelize-raw-query.js
// Case1: run query by string concatenation using template literals
// ruleid: sequelize-raw-query
db.sequelize.query(
`INSERT INTO user (username, password) VALUES('${username}','${password}')`
)
// Case 2: Build query by string concatenation using template literals
// ruleid: sequelize-raw-query
var query = `INSERT INTO user (username, password) VALUES('${username}','${password}')`
console.log("check password");
db.sequelize.query(query)
// Case 3: run query by string concatenation using + operator
// ruleid: sequelize-raw-query
db.sequelize.query(
"INSERT INTO user (username, password) VALUES('" + username + "','" + password + "')"
)
// Case 4: Build query by string concatenation using + operator
// ruleid: sequelize-raw-query
var query = "INSERT INTO user (username, password) VALUES('" + username + "','" + password + "')"
console.log("check password");
db.sequelize.query(query)
Short Link: https://sg.run/GeG6