Menu
I want to write custom queries using Sequelize, and as far as possible avoid potential issues with SQL Injection. My question is therefore if there exists a secure way of writing custom queries with inserted variables using Sequelize?
390
All versions of sequelize lower than 5.8. 11 are vulnerable to SQL Injection (CVE-2019-10748) because they contain JSON path keys that are not being properly escaped for the MySQL and MariaDB dialects.
Developers can prevent SQL Injection vulnerabilities in web applications by utilizing parameterized database queries with bound, typed parameters and careful use of parameterized stored procedures in the database.
If you don't close the Sequelize connection, the micro-service will still run until the connection got timed out (idle time pool parameter)..
Sequelize escapes replacements, which avoids the problem at the heart of SQL injection attacks: unescaped strings. It also supports binding parameters when using SQLite or PostgreSQL, which alleviates the risk further by sending the parameters to the database separately to the query, as documented here:
Bind parameters are like replacements. Except replacements are escaped and inserted into the query by sequelize before the query is sent to the database, while bind parameters are sent to the database outside the SQL query text. A query can have either bind parameters or replacements.
Only SQLite and PostgreSQL support bind parameters. Other dialects will insert them into the SQL query in the same way it is done for replacements. Bind parameters are referred to by either $1, $2, ... (numeric) or $key (alpha-numeric). This is independent of the dialect.
99
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
