Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Security: 'unterminated quoted string' updating model
See original GitHub issueWe have a case from fuzzy scanning that results in the following error:
unterminated quoted string at or near "'"
LINE 1: UPDATE "production"."questions" SET "text"='
The error is caused by a model instance being updated, like this:
const question = await sequelize.models.Entity.findById(questionId);
await question.update({
text: req.body.text
});
The req.body.text is validated to be a string and within the right length. We suspect this is caused by some special character being inside req.body.text, that fools the escaping logic in Sequelize. If https://github.com/sequelize/sequelize/issues/1608 is implemented, this would be a non-issue, as you will skip any messy escaping, that is extremely hard to do properly, just ask the PHP guys.
Most likely this makes Sequelize vulnerable to SQL injection for any uses that accept text from the user (which I would guess is pretty close to all uses of Sequelize).
Dialect: postgres Database version: 9.5 Sequelize version: 3.23.4
Issue Analytics
- State:
- Created 7 years ago
- Comments:5 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@holm In any case we’d probably want to throw explicitly, escape or filter when facing a value that postgres doesn’t accept.
Understanding the problem better, I don’t think this can actually be used for any injection, since the null character seems to terminate the current statement. However I have seen people be very clever with these injections before, so hard to be sure.