Описание
Sequelize - Default support for “raw attributes” when using parentheses
Impact
Sequelize 6.28.2 and prior has a dangerous feature where using parentheses in the attribute option would make Sequelize use the string as-is in the SQL
Produced
Patches
This feature was deprecated in Sequelize 5, and using it prints a deprecation warning.
This issue has been patched in @sequelize/core@7.0.0.alpha-20 and sequelize@6.29.0.
In Sequelize 7, it now produces the following:
In Sequelize 6, it throws an error explaining that we had to introduce a breaking change, and requires the user to explicitly opt-in to either the Sequelize 7 behavior (always escape) or the Sequelize 5 behavior (inline attributes that include () without escaping). See https://github.com/sequelize/sequelize/pull/15710 for more information.
Mitigations
Do not use user-provided content to build your list or attributes. If you do, make sure that attribute in question actually exists on your model by checking that it exists in the rawAttributes property of your model first.
A discussion thread about this issue is open at https://github.com/sequelize/sequelize/discussions/15694 CVE: CVE-2023-22578
Ссылки
- https://github.com/sequelize/sequelize/security/advisories/GHSA-f598-mfpv-gmfx
- https://nvd.nist.gov/vuln/detail/CVE-2023-22578
- https://github.com/sequelize/sequelize/pull/15710
- https://csirt.divd.nl/CVE-2023-22578
- https://csirt.divd.nl/DIVD-2022-00020
- https://github.com/sequelize/sequelize/discussions/15694
- https://github.com/sequelize/sequelize/releases/tag/v6.29.0
- https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20
Пакеты
@sequelize/core
< 7.0.0-alpha.20
7.0.0-alpha.20
sequelize
< 6.29.0
6.29.0
Связанные уязвимости
Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections.