-
-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SQL Injection/Syntax error inserting GeoJSON documents with single quotes #6194
Comments
Just to be more clear: This is a pretty major security issue. Anyone who accepts user data with geojson types is vulnerable to a SQL injection on the insert. |
Proof of concept: {
"type": "MultiPolygon",
"properties": {
"exploit": "'); drop schema public cascade; -- "
},
"coordinates": []
} Send this object to any Sequelize-backed service as the value of a GeoJSON type and it will drop the entire database - not good! Query generated by Sequelize: INSERT INTO "boundaries" ("geo") VALUES (ST_GeomFromGeoJSON('{"type":"MultiPolygon","properties":{"exploit": "'); drop schema public cascade; -- "},"coordinates":[]}')) RETURNING *; |
This is now listed in NSP as a critical vulnerability and breaks all builds that use |
|
FWIW, you can set up an nsp exception for this by adding an .nsprc file with something like the following: {
"exceptions": [
"https://nodesecurity.io/advisories/122" // SQL Injection via GeoJSON
]
} |
Fix released in v3.23.5 |
@sushantdhiman I didn't make the NSP advisory, I think that was @PizzaBrandon |
@contra It says issue reported by Thanks for reporting this, Also please report the security issues to maintainers privately so we can patch it before any attacker knows about it :) |
@sushantdhiman Who is the contact point? There's a lot of contributors on this repository. Might be a good idea to have a security.md with info |
You can report to @mickhansen, @janmeier or me. You can contact by
|
^ it might be a good idea to add this contact information to the documentation somewhere specifically for security issues. |
For future references, now we have responsible-disclosure section in readme. Security issues must be reported accordingly |
Still not available in the npm version. Maybe this should be backported if the 4.x release isn't ready. |
@felixfbecker Sorry, checked the changelog and saw it under the 4.0.0 release. |
What you are doing?
Inserting inserting GeoJSON documents with single quotes in an attribute.
What do you expect to happen?
No errors.
What is actually happening?
Errors.
Seems like the GeoJSON string is not being escaped at all, so having a single quote in any property in the GeoJSON is causing a syntax error
Dialect: postgres
Database version: 9.5.3
Sequelize version: 3.23.4
The text was updated successfully, but these errors were encountered: