Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

V6: Removing operator aliases

See original GitHub issue

With the v6 release we are looking to entirely remove operator aliasing support eg. $eq $gt $and etc. in favor of the symbol based operators introduced in v4 and enabled by default in v5.

Aliased operators are potentially vulnerable to user input injection when passing certain user generated input into sequelize calls. This is especially problematic for query string parsers that support complex data structures. For more details please see previous migration guides and documentation.

Issue Analytics

State:
Created 4 years ago
Reactions:6
Comments:14 (9 by maintainers)

Top GitHub Comments

3reactions

stalniycommented, Jun 14, 2019

I don’t think using symbols instead of string keys somehow improves security.

the issue is not in strings or symbols but in how apps process user input. Even documentation says something like: it will help but don’t forget to sanitize input. With symbols, a dev can make his code vulnerable to injection as well, the only thing which needs to be done is to map string keys to symbol keys.

Frankly speaking, not a big deal 😃 I don’t think symbols operators somehow help but add a bit of complexity.

1reaction

stalniycommented, Oct 2, 2019

@kevinlammers it always was the problem of the developer not sequelize (I argued about the purpose of removing operators in previous comments https://github.com/sequelize/sequelize/issues/10820#issuecomment-501959070).

Now the “life” is a bit more complicated, it’s more complicated to send a silly/hard coded sequelize query from client to server. But it was always a wrong approach!

If you want to do rich filtering or sorting from the client, you need to

create your own client to server language,
create language translator which converts your language into sequelize query.
During translation process don’t forget to prevent different injection attacks.

Top Results From Across the Web

Model Querying - Basics - Sequelize

When using aggregation function, you must give it an alias to be able to access it from the model. In the example above...

Sequelize Deprecated Error Message - node.js - Stack Overflow

As of Version 5, the operatorAliases will cause a warning: "DeprecationWarning: String based operators are deprecated.

Function and Operator Reference | PingCAP Docs

Learn how to use the functions and operators. ... Function and Operator Referencewas last updated 11/15/2022, 9:59:55 PM: v6.4: remove aliases (#11327).

Risks involved with operatorAliases in Sequelize - Wallarm

Not having any string aliases will make it extremely unlikely that operators could be injected but you should always properly validate and ...

Masks -- IM v6 Examples - ImageMagick

Internal Matte Channel; Alpha Channel Operator. Off (or +matte), Set (or -matte ), On , Opaque , Transparent , Extract , Copy ,...