leoric
leoric copied to clipboard
[feat] security raw query type scan and validate
eg.
realm.query(`SELECT * FROM users WHERE id = 1; DELETE FROM users`);
querying multiple statements is disabled by default if mysqljs/mysql is used https://github.com/mysqljs/mysql#multiple-statement-queries
IMHO, possible causes of such queries might be like below:
realm.query(`SELECT * FROM users WHERE id = ${ctx.query.id}`);
which can be checked in advance by enforcing some lint rules. Otherwise, to eliminate such problem thoroughly, we might need to check the raw sql before sending it to database. Would that be a bit too much?