Fix CVE–2022–33171

[debricked[bot]]

CVE–2022–33171

Vulnerable dependency:     typeorm (npm)    0.2.45

Vulnerability details

Description

### Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') > The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. ### NVD > ** DISPUTED ** The findOne function in TypeORM before 0.3.0 can either be supplied with a string or a FindOneOptions object. When input to the function is a user-controlled parsed JSON object, supplying a crafted FindOneOptions instead of an id string leads to SQL injection. NOTE: the vendor's position is that the user's application is responsible for input validation.

CVSS details - 9.8

  |CVSS3 metrics|| |:-|:-| |Attack Vector|**Network**| |Attack Complexity|**Low**| |Privileges Required|**None**| |User interaction|**None**| |Scope|**Unchanged**| |Confidentiality|**High**| |Integrity|**High**| |Availability|**High**|

References

    [NVD - CVE-2022-33171](https://nvd.nist.gov/vuln/detail/CVE-2022-33171)[](https://nvd.nist.gov/vuln/detail/CVE-2022-33171)     [Comparing 0.2.45...0.3.0 · typeorm/typeorm · GitHub](https://github.com/typeorm/typeorm/compare/0.2.45...0.3.0)[](https://github.com/typeorm/typeorm/compare/0.2.45...0.3.0)     [Full Disclosure: typeorm CVE-2022-33171](https://seclists.org/fulldisclosure/2022/Jun/51)[](https://seclists.org/fulldisclosure/2022/Jun/51)

 

Related information

:pushpin: Remember! Check the changes to ensure they don't introduce any breaking changes.
:books: Read more about the CVE

 

[AramAlsabti]

I'm not sure why Debricked seems to have based this on commit df81147 rather than master. Seems to be a misconfiguration. As it stands, this PR is invalid. Moved to https://github.com/OS2iot/OS2IoT-backend/pull/200