Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Do I need to validate, sanitise or escape data when using the build method in sequelize.js

I have a node / express / sequelize app. I am using the build method in sequelize to create an instances of my foo model.

Foo Controller

 exports.create = function(req, res) {
     var foo = db.Foo.build(req.body);
     foo.save().then(function(){
         // do stuff
     });
 }

Foo Model

module.exports = function(sequelize, DataTypes) {

var Foo = sequelize.define('Foo', 
{
  bar: DataTypes.STRING,
  baz: DataTypes.STRING
}

Does the build method check that the data I am saving is clean or do I need to take some extra precautions here?

like image 538
bladedev Avatar asked Sep 27 '15 13:09

bladedev


1 Answers

I prefer to make secondary validation in routes, because:

1) Storing data in a database is one of many things you can do with this data. If you only validate in database then in other places you get not validated data. For example you may need some computation or concatenation before saving it in a database.

2) or when you use one sequelize model in many routes (e.g. User model in customer route and partner route) and you want to make different validation rules.

I always set validation in sequelize models, but this is validation with 'maximum allowable conditions' (e.g. username field never be larger then 200 chars and it is string). I make also routes validation. It is more specific and concrete (e.g. in customer route username max large is 100 but in partner route username may have 150 chars and also check content of this string).

And finally, the strict answer for your question: sequelize validation is mostly for validating format. And this is not enough. Look at my answer NodeJS/express - security for public API endpoint if you save data without correct validation and then serve this data then you are exposed to XSS attack.

like image 126
Krzysztof Sztompka Avatar answered Oct 01 '22 16:10

Krzysztof Sztompka