SQL Injection with default blueprints in Waterline #5347
Comments
|
Hey, this is scary! I'm on it. Most likely lives in waterline-sequel. Worth noting that there's a general trend of trying to move these adapters to be backed by knex for query-building. See https://github.com/waterlinejs/postgresql-adapter for example. |
|
Any idea whether this is limited to MySQL or whether other adapters are also affected? -kevin
|
|
This would affect any adapter backed by waterline-sequel. I know that sails-postgresql would be included. |
|
Can you tell me what all modules are impacted so that we can properly create an advisory for node security? Also any additional details or recommendations for remediation that you suggest for users at this time until a fix is made available. |
|
I can only speak to sails-mysql and sails-postgresql. @atiertant might want to look into sails-oracledb. @tjwebb I think that your new adapters are okay, but I they use waterline-sequel for some tasks, right? The easiest way to test this against waterline adapters (which should be the only relevant modules) integration-style is to add tests to the waterline-adapter-test repo. I'll push a partial patch tonight that can hopefully be tightened-up and released soon. CC @particlebanana. I can't complete every bit of work on this tonight, but @evilpacket if you would like to better understand the exploit, see, And feel free to add to the PR, which I'll post shortly. Suggestion: if you're using blueprints, disallow |
|
Related PR: balderdashy/waterline-sequel#66. |
|
@evilpacket as far as I can determine, any application that passes untrusted input to any of Waterline's Sails blueprint routes are especially vulnerable because they pass the |
|
Actually it appears as though sails-postgresql is okay because it parametrizes those queries. |
|
Now the patch should be complete, pending review. The more eyes on this the better! |
|
Ok merged the waterline-sequel patch. Working on an integration test to prove it's fixed the I will publish a patch to npm for both waterline-sequel and sails-mysql. Because postgresql uses parameterized queries it doesn't seem to be affected. Thanks for all your help @jamsea @devinivy and @kevinburkeshyp |
|
Ok everything should be published so installing the latest version of sails-mysql (0.11.2) should take care of this. Can someone confirm thats true. |
confirmed! thanks @particlebanana @devinivy! |
|
👍 |
I have a model called "patients" which is using the default find blueprint in sails (it's controller definition is just
module.exports = {};). I have a sinking suspicion it may have to do with node-mysql not actually supporting prepared statements (https://github.com/felixge/node-mysql#escaping-query-values).I'm able to recreate the issue on any string field by passing in
\\\"in "startsWith" as a where criteria. E.g. this:Returns all records in the
patientstable. Scary.I have:
In my package.json. Has anyone else experienced anything similar?
The text was updated successfully, but these errors were encountered: