Stripe Escape Input

Prevent injections in Stripe search queries by escaping user input.

Problem

const stripe = require("stripe")(process.env.STRIPE_SECRET_KEY)

const userInput = "124' OR created>0 OR status:'active"

let subscriptions = await stripe.subscriptions.search({
    query: `metadata['myField']: '${userInput}'`
})
console.log(subscriptions) // all subscriptions ever due to injection

A user input that is directly used in a Stripe search query is vulnerable to injections. This can be exploited to gain access to all records. The principle is basically the same as in SQL injections.

Solution

To prevent injections, we need to escape the user input before using it in a Stripe search query.

npm i stripe-escape-input

const escapeInput = require("stripe-escape-input")
const stripe = require("stripe")(process.env.STRIPE_SECRET_KEY)

const userInput = "124' OR created>0 OR status:'active"

let subscriptions = await stripe.subscriptions.search({
    query: `metadata['myField']: '${escapeInput(userInput)}'`
})
console.log(subscriptions) // 0 subscriptions

stripe-escape-input

Stripe Escape Input

Problem

Solution

Sources

Readme

Keywords

Package Sidebar

Install

Repository

Homepage

Weekly Downloads

Version

License

Unpacked Size

Total Files

Last publish

Collaborators

stripe-escape-input

Stripe Escape Input

Problem

Solution

Sources

Readme

Keywords

Package Sidebar

Install

Repository

Homepage

DownloadsWeekly Downloads

Version

License

Unpacked Size

Total Files

Last publish

Collaborators

Weekly Downloads