自己使用Nestjs 搭配 Sequelize ,在安装新包的时候提示有Critical 风险。有漏洞嘛,要第一时间处理,要处理,除了升级,还要看一下这个漏洞如何复现。

粗略得到结果如下:

CVE-2023-25813

I、漏洞复现:

https://github.com/advisories/GHSA-wrh9-cjv3-2hpw

开发代码:

User.findAll({

  where: or(

    literal('soundex("firstName") = soundex(:firstName)'),

    { lastName: lastName },

  ),

  replacements: { firstName },

})

用户输入:

{

  "firstName": "OR true; DROP TABLE users;",

  "lastName": ":firstName"

}

Sequelize预编译出SQL:

SELECT * FROM users WHERE soundex("firstName") = (:firstName) OR "lastName" = ':firstName'

占位符替换,最终会得到如下SQL:

SELECT * FROM users WHERE soundex("firstName") = soundex('OR true; DROP TABLE users;') OR "lastName" = ''OR true; DROP TABLE users;''

妥妥的SQL注入,高危风险。

II、漏洞预防

Do not use the replacements and the where option in the same query if you are not using Sequelize >= 6.19.1

  • 升级sequelize版本。
  • where 与replacements 不要同时出现。

CVE-2023-22578

不算漏洞的漏洞,不要将用户输入作为列名。

https://github.com/advisories/GHSA-8mwq-mj73-qv68

https://github.com/sequelize/sequelize/discussions/15694

ephys解释如下:

Hi!

At the present time I do not know.

The problem is that, while I did make the changes to remove a footgun in v7, that behavior was not a bug but a deliberate feature implemented by one of the previous teams that worked on Sequelize, and there are codebases relying on it.

Backporting #15374 would introduce a breaking change in a minor release. We've exceptionally done that in the past when we fixed a major issue (#14519), but I am not convinced that it's warranted for this one.

The reason I think releasing this breaking change in a minor release is unwarranted is that it can only be a problem if you use user-provided values as the name of a column to select. Even without the fix, you should make sure that input is safe as the query will crash if the input is not a valid attribute name.

We're stuck between a rock and a hard place. We can either introduce a breaking change in a minor release, or have a critically vulnerability warning.

We need to check with the people that published that vulnerability if they would consider a big bold warning that that property accepts arbitrary SQL (and therefore that user data should not be used in it) to be sufficient to dismiss the audit warning

最新文章

  1. Windbg用法详解
  2. android stuio eclipse映射下的快捷键
  3. thinkphp 模板调用数据
  4. expdp ORA-39213
  5. 黑马程序员 Java正则表达式,详解反斜线在Java中的作用
  6. 插件 - 提示窗体(ArtDialog)
  7. Java深入解析读书笔记(一)
  8. java中处理字符编码(网页与数据库)(转)
  9. 第一个SignalR案例
  10. Oracle ADG搭建
  11. 初识RabbitMQ系列之二:下载安装
  12. Jboss getshell
  13. Maven将中央仓库修改为阿里云的仓库地址
  14. Confluence 6 重要缓存和监控
  15. 集合List和ArrayList的示例
  16. Linux第六周学习总结——进程额管理和进程的创建
  17. 水题 不要62 HDU 2089
  18. hdoj1078(介绍记忆化搜索及其模板)
  19. pch文件配置
  20. 【Java面试题】12 内部类可以引用它的包含类的成员吗?有没有什么限制?

热门文章

  1. Ubuntu 22.04 安装 VMware Tools
  2. echarts系列-带图教你调整左右位置x轴样式网格虚线刻度居中双轴Y轴滚动上下移动文字旋转改分割线颜色部分字体改色折注混合,X轴的颜色,X轴字体颜色,调整柱子颜色,调整小图标图例的大小和位置,鼠标hover时候的样式,用纵向阴影
  3. yarn使用 以及和npm对比
  4. MySQL之字段约束条件
  5. Quarkus入门体验,22ms启动一个Web服务
  6. UBUNTU切换内核
  7. JZOJ 【2020.11.30提高组模拟】剪辣椒(chilli)
  8. GIT初学者详细指令学习
  9. webform项目 aspx页面顶部提示运行时错误(.Net Framwork已下载还是报错)
  10. IP 地址分类及子网划分