Summary
Query parameter keys from req.query are passed directly
into sql.raw() in defaultWhereClause (crud.ts:34) without
sanitization. The escapeString utility is imported on line 10
but never used.
Affected Code
crud.ts:34
const column = sql.raw("${toSnakeCase(key)}");
Impact
An attacker controlling query parameter key names can inject
arbitrary SQL into the column reference.
Reproduction
curl "http://localhost:9000/agreements?status=DRAFT"
key "status" goes directly into sql.raw()
Proposed Fix
Use escapeString (already imported) to sanitize key before
passing to sql.raw(), or validate key against known table
columns using Object.prototype.hasOwnProperty.call()
Found via
Static code audit following the data flow through
defaultWhereClause in crud.ts
Summary
Query parameter keys from req.query are passed directly
into sql.raw() in defaultWhereClause (crud.ts:34) without
sanitization. The escapeString utility is imported on line 10
but never used.
Affected Code
crud.ts:34
const column = sql.raw(
"${toSnakeCase(key)}");Impact
An attacker controlling query parameter key names can inject
arbitrary SQL into the column reference.
Reproduction
curl "http://localhost:9000/agreements?status=DRAFT"
key "status" goes directly into sql.raw()
Proposed Fix
Use escapeString (already imported) to sanitize key before
passing to sql.raw(), or validate key against known table
columns using Object.prototype.hasOwnProperty.call()
Found via
Static code audit following the data flow through
defaultWhereClause in crud.ts