Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix: improve filter sanitisation
Add sanitisation of user-input for `contains` LoopBack filter which may allow for arbitrary SQL injection.

Signed-off-by: Rifa Achrinza <25147899+achrinza@users.noreply.github.com>
  • Loading branch information
achrinza committed Aug 4, 2022
1 parent 1a863f3 commit d57406c
Showing 1 changed file with 4 additions and 3 deletions.
7 changes: 4 additions & 3 deletions lib/postgresql.js
Expand Up @@ -545,10 +545,11 @@ PostgreSQL.prototype.buildExpression = function(columnName, operator,
return new ParameterizedSQL(columnName + regexOperator,
[operatorValue.source]);
case 'contains':
return new ParameterizedSQL(columnName + ' @> array[' + operatorValue.map((v) => `'${v}'`) + ']::'
+ propertyDefinition.postgresql.dataType);
return new ParameterizedSQL(columnName + ' @> array[' + operatorValue.map(() => '?') + ']::'
+ propertyDefinition.postgresql.dataType,
operatorValue);
case 'match':
return new ParameterizedSQL(`to_tsvector(${columnName}) @@ to_tsquery('${operatorValue}')`);
return new ParameterizedSQL(`to_tsvector(${columnName}) @@ to_tsquery(?)`, [operatorValue]);
default:
// invoke the base implementation of `buildExpression`
return this.invokeSuper('buildExpression', columnName, operator,
Expand Down

0 comments on commit d57406c

Please sign in to comment.