In a legitimate use case, the user will enter a simple value (e.g. "SELECT Desc FROM Items WHERE Desc like ('%" + + "%')", Assuming the DB connection was already set up, here’s the backend search function: function findItems(req, resp) The search is performed as a DB query, implemented using the sequelize package. Imagine a task list app with a search function, searching items containing a given text. Test your dependencies for vulnerabilitiesīefore we dig into the problem scenarios, though, let’s start with a quick refresh on what SQL Injection is, what are your options for protecting against it, and what ORM is.This post shows a couple of examples of such flaws, and explains what other layers of defense you should apply, the key ones being: These issues are fixed in the latest package versions, but you may be using old versions, and new vulnerabilities may turn up. During the past year, 4 SQL Injection vulnerabilities were reported on the two top ORM packages in npm, sequelize and node-mysql, moving this concern from theory to reality. These packages are, like all packages, software, and software can have bugs. And indeed, the ORM packages in npm still need to convert these actions into SQL.
What’s easy to forget, though, is that just because you’re not composing SQL doesn’t mean it’s not being composed. Using such packages means you’re never actually composing SQL, and so don’t get the chance to slip and allow malicious injections.
One way to protect against SQL Injection is to use an ORM package, which maps your objects and actions on them into SQL for you. TL DRĪn SQL Injection vulnerability, or SQLi for short, allows an attacker to add – “inject” – unstructured text into an SQL command, triggering unintended consequences. In our State of Open Source Security Report 2019 we learned that SQL Injection vulnerabilities are still a common source of security concern with a peak of 16 vulnerabilities found in libraries on the PHP Packagist repository.
To truly protect yourself, you need to do more. As this post shows, ORM packages such as Sequelize and MySQL can and do have flaws that can leave you exposed.
Using prepared statements and Object-Relational Mapping (ORM) is a good way to defend against SQL injection, but it’s not enough. One of the most dangerous and widespread vulnerability types is SQL Injection, which gives attackers access to your backend database.
0 kommentar(er)
