-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security issue with param escaping? #731
Comments
The problem seems to be about params that are not strings. Although I'll continue to sanitize all my user inputs (to avoid username impersonation attacks like |
We can confirm that the problem is caused by passing objects to the query call. There is no code to show: its as simple as passing a req.body.something to the .query call of node-mysql when using express with the bodyparser middleware. Running the vulnerability scanner against https://gist.github.com/ssafejava/9a2d77704712a8769322 causes the exception to be thrown. |
This is not an issue with escaping with this library; this library is properly escaping all values and column names. The security issue is just with the way you are combining express and this library, such that you were expecting to get a string from express, so you were only expecting the
|
I consider prepared statements as intended to mitigate lack of input validation in the params in general. Therefor, limiting it to the case where input has already been validated as being a string, in my opinion misses the point. |
These are not prepared statements, they are done client-side and have various rules for how The purpose if it doing stuff different for objects is to help people who want to easily use Please see the "Different value types are escaped differently, here is how:" section in https://github.com/felixge/node-mysql#escaping-query-values |
I see. Looks like an unlucky case of embrace and extend. I wish you had opted for something like Edit: Not really embrace and extend, as you wrote they aren't prepared statements. Rather just a pitfall for people who learn from tutorials and conclude topical similarity from visual similarity. |
I can't see how it's the type system's fault when programmers assume that a mechanism that looks like prepared statements will defuse any data they pass in. Let's at least blame it at the programmers for trusting visual similarity instead of reading the manual thoroughly. |
@mk-pmb sure, though this module only has a small Readme, which has all the |
@mk-pmb it's the programmers role to understand the libraries he/she is using at least to the extend they are documented before including them in any production environment. If the library isn't fully documented, that's on the creator, but since this is an open-source world you can't really blame somebody for dedicating their time towards creating something for free. Inferring functionality from syntax is useful, but think rationally: if the Libraries and languages that make it easier to start developing are extremely useful, but I fear it gives a novice developer a misplaced sense of confidence. It's easy to build a small application, and when it "just works" assume nothing could possibly go wrong. |
I agree with that. And still, lots of people do it. So for all software that I manage, I'll try and have it be compatible with everyday flawed humans, in hopes to lessen the risk and impact of errors in software based on mine, written by fallible humans. BOfH would ship a GNU/Linux distro where the default shell acts fully like bash, just that on every line starting with an uppercase letter, the meaning of Update: Thanks for making it opt-in. |
Please, this issue doesn't need any more comments. It is still open as a tracking issue for me. There are coming changes that will affects this module and even things like These are changes that are coming I listed, not speculation. Please just know that this issue is taken seriously. |
Are there any circumstances where this would lead to an injection attack? As far as I can work out so far this appears to only ever result in syntax errors. |
@SystemParadox: I don't think so. The report seems to be badly explained and seems to be related to constructing SQL based on user input without any check. Good usage: db.query("SELECT * FROM users WHERE id = ?", [ +req.params.id ], next); No harm on that, casting forces it to be a number. Even if it wasn't a number and the The problem here seems to be with something more like: // BAD! BAD!
db.query("SELECT * FROM " + req.params.table + " WHERE ....", next); |
@SystemParadox yeah I just took a look at the formatting and escaping code. I don't see any way that passing unvalidated data to be interpolated into the query could result in an injection vulnerability. Without validation you can easily get a syntax error. |
Hi, im running node-mysql latest on node-latest.
Somebody using the acunetix vulnerability scanner has triggered this error:
UNKNOWN COLUMN '$acunetix' IN WHERE CLAUSE.
The query: SELECT id, email FROM accounts WHERE username = ?
How is this possible? Its very dangerous to our application, please respond quickly.
The text was updated successfully, but these errors were encountered: