Skip to content

Failure to sanitize quotes which can lead to sql injection in squel

Critical severity GitHub Reviewed Published Jun 14, 2019 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm squel (npm)

Affected versions

<= 5.13.0

Patched versions

None

Description

All versions of squel are vulnerable to sql injection.

The squel package does not properly escape user provided input when provided using the setFields method. This could lead to sql injection if the query was then executed.

Proof of concept demonstrating the injection of a single quote into a generated sql statement from user provided input.

> console.log(squel.insert().into('buh').setFields({foo: "bar'baz"}).toString());
INSERT INTO buh (foo) VALUES ('bar'baz')

Recommendation

There is no fix at this time and the issue has been reported publicly. Consider using another query builder that provides strong guarantees for input sanitization to prevent sql injection attacks.

References

Reviewed Jun 14, 2019
Published to the GitHub Advisory Database Jun 14, 2019
Last updated Jan 9, 2023

Severity

Critical

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-4qhx-g9wp-g9m6

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.