search

mariadb-corporation / mariadb-connector-nodejs

MariaDB Connector/Node.js is used to connect applications developed on Node.js to MariaDB and MySQL databases. MariaDB Connector/Node.js is LGPL licensed.
GNU Lesser General Public License v2.1
363 stars 93 forks source link

escapeId is not safe. #252

Closed Samuel-Jobb closed 9 months ago

Samuel-Jobb commented 10 months ago

I have identified a escape issue that could lead to sql injections.

The following code within lib/misc/utils.js:

  // to permit working with reserved words
  if (value.match(/^`.+`$/g)) {
    // already escaped
    return value;
  }

Could lead to sql injections by using the following or similar input:

`table`;  DROP TABLE `table`; -- `

Example usage:

const result = escapeId("`table`;  DROP TABLE `table`; -- `");

console.log(result); // "`table`;  DROP TABLE `table`; -- `"

Expected result should be

```table``;  DROP TABLE ``table``; -- ```

and not

`table`;  DROP TABLE `table`; -- `

This is because the regex you're using doesn't properly escape this and assumes it is already escape. which it isn't.

The simplest fix would be just to remove this if statement and always escape the input no matter what.

rusher commented 9 months ago

right, this will be release quickly in next version