feat: throw an error if attribute includes parentheses (fixes CVE-2023-22578) #15710
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The goal of this PR is to fix CVE-2023-22578 in Sequelize 6 (thread)
Unlike in v7 where we always escape all non-literal attributes, in v6 using parentheses in an attribute will throw an error by default. This is deliberate to warn users that relied on this feature that the behavior changed.
Users then have 3 options:
literal()
call. This will make Sequelize treat it as raw SQL.attributeBehavior
sequelize option to"escape"
to make Sequelize escape the attribute, like in Sequelize v7. We highly recommend this option.attributeBehavior
sequelize option to"unsafe-legacy"
to make Sequelize escape the attribute, like in Sequelize v5.That feature was deprecated years ago in Sequelize 5. It's still a breaking change, but this is the lesser of the two evil we settled on.