Skip to content

Security: SQL injection via unescaped sql.raw() in defaultWhereClause #186

Description

@Satvik77777

Summary

Query parameter keys from req.query are passed directly
into sql.raw() in defaultWhereClause (crud.ts:34) without
sanitization. The escapeString utility is imported on line 10
but never used.

Affected Code

crud.ts:34
const column = sql.raw("${toSnakeCase(key)}");

Impact

An attacker controlling query parameter key names can inject
arbitrary SQL into the column reference.

Reproduction

curl "http://localhost:9000/agreements?status=DRAFT"

key "status" goes directly into sql.raw()

Proposed Fix

Use escapeString (already imported) to sanitize key before
passing to sql.raw(), or validate key against known table
columns using Object.prototype.hasOwnProperty.call()

Found via

Static code audit following the data flow through
defaultWhereClause in crud.ts

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions