CVE-2023-25813 漏洞
自己使用Nestjs 搭配 Sequelize ,在安装新包的时候提示有Critical 风险。有漏洞嘛,要第一时间处理,要处理,除了升级,还要看一下这个漏洞如何复现。
粗略得到结果如下:
CVE-2023-25813
I、漏洞复现:
https://github.com/advisories/GHSA-wrh9-cjv3-2hpw
开发代码:
User.findAll({
where: or(
literal('soundex("firstName") = soundex(:firstName)'),
{ lastName: lastName },
),
replacements: { firstName },
})
用户输入:
{
"firstName": "OR true; DROP TABLE users;",
"lastName": ":firstName"
}
Sequelize预编译出SQL:
SELECT * FROM users WHERE soundex("firstName") = (:firstName) OR "lastName" = ':firstName'
占位符替换,最终会得到如下SQL:
SELECT * FROM users WHERE soundex("firstName") = soundex('OR true; DROP TABLE users;') OR "lastName" = ''OR true; DROP TABLE users;''
妥妥的SQL注入,高危风险。
II、漏洞预防
Do not use the
replacements
and thewhere
option in the same query if you are not using Sequelize >= 6.19.1
- 升级sequelize版本。
- where 与
replacements
不要同时出现。
CVE-2023-22578
不算漏洞的漏洞,不要将用户输入作为列名。
https://github.com/advisories/GHSA-8mwq-mj73-qv68
https://github.com/sequelize/sequelize/discussions/15694
Hi!
At the present time I do not know.
The problem is that, while I did make the changes to remove a footgun in v7, that behavior was not a bug but a deliberate feature implemented by one of the previous teams that worked on Sequelize, and there are codebases relying on it.
Backporting #15374 would introduce a breaking change in a minor release. We've exceptionally done that in the past when we fixed a major issue (#14519), but I am not convinced that it's warranted for this one.
The reason I think releasing this breaking change in a minor release is unwarranted is that it can only be a problem if you use user-provided values as the name of a column to select. Even without the fix, you should make sure that input is safe as the query will crash if the input is not a valid attribute name.
We're stuck between a rock and a hard place. We can either introduce a breaking change in a minor release, or have a critically vulnerability warning.
We need to check with the people that published that vulnerability if they would consider a big bold warning that that property accepts arbitrary SQL (and therefore that user data should not be used in it) to be sufficient to dismiss the audit warning
最新文章
- Windbg用法详解
- android stuio eclipse映射下的快捷键
- thinkphp 模板调用数据
- expdp ORA-39213
- 黑马程序员 Java正则表达式,详解反斜线在Java中的作用
- 插件 - 提示窗体(ArtDialog)
- Java深入解析读书笔记(一)
- java中处理字符编码(网页与数据库)(转)
- 第一个SignalR案例
- Oracle ADG搭建
- 初识RabbitMQ系列之二:下载安装
- Jboss getshell
- Maven将中央仓库修改为阿里云的仓库地址
- Confluence 6 重要缓存和监控
- 集合List和ArrayList的示例
- Linux第六周学习总结——进程额管理和进程的创建
- 水题 不要62 HDU 2089
- hdoj1078(介绍记忆化搜索及其模板)
- pch文件配置
- 【Java面试题】12 内部类可以引用它的包含类的成员吗?有没有什么限制?
热门文章
- Ubuntu 22.04 安装 VMware Tools
- echarts系列-带图教你调整左右位置x轴样式网格虚线刻度居中双轴Y轴滚动上下移动文字旋转改分割线颜色部分字体改色折注混合,X轴的颜色,X轴字体颜色,调整柱子颜色,调整小图标图例的大小和位置,鼠标hover时候的样式,用纵向阴影
- yarn使用 以及和npm对比
- MySQL之字段约束条件
- Quarkus入门体验,22ms启动一个Web服务
- UBUNTU切换内核
- JZOJ 【2020.11.30提高组模拟】剪辣椒(chilli)
- GIT初学者详细指令学习
- webform项目 aspx页面顶部提示运行时错误(.Net Framwork已下载还是报错)
- IP 地址分类及子网划分