node-sql-template-strings
node-sql-template-strings copied to clipboard
felixfbecker
chore(deps): update dependency sequelize to v6 [security]
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| sequelize (source) | ^4.0.0 -> ^6.0.0 |
GitHub Vulnerability Alerts
CVE-2019-10752
Affected versions of sequelize are vulnerable to SQL Injection. The function sequelize.json() incorrectly formatted sub paths for JSON queries, which allows attackers to inject SQL statements and execute arbitrary SQL queries if user input is passed to the query. Exploitation example:
return User.findAll({
where: this.sequelize.json("data.id')) AS DECIMAL) = 1 DELETE YOLO INJECTIONS; -- ", 1)
});
Recommendation
If you are using sequelize 5.x, upgrade to version 5.15.1 or later.
If you are using sequelize 4.x, upgrade to version 4.44.3 or later.
CVE-2019-10748
Affected versions of sequelize are vulnerable to SQL Injection. The package fails to sanitize JSON path keys in the MariaDB and MySQL dialects, which may allow attackers to inject SQL statements and execute arbitrary SQL queries.
Recommendation
If you are using sequelize 5.x, upgrade to version 5.8.11 or later.
If you are using sequelize 4.x, upgrade to version 4.44.3 or later.
If you are using sequelize 3.x, upgrade to version 3.35.1 or later.
CVE-2023-25813
Impact
The SQL injection exploit is related to replacements. Here is such an example:
In the following query, some parameters are passed through replacements, and some are passed directly through the where option.
User.findAll({
where: or(
literal('soundex("firstName") = soundex(:firstName)'),
{ lastName: lastName },
),
replacements: { firstName },
})
This is a very legitimate use case, but this query was vulnerable to SQL injection due to how Sequelize processed the query: Sequelize built a first query using the where option, then passed it over to sequelize.query which parsed the resulting SQL to inject all :replacements.
If the user passed values such as
{
"firstName": "OR true; DROP TABLE users;",
"lastName": ":firstName"
}
Sequelize would first generate this query:
SELECT * FROM users WHERE soundex("firstName") = soundex(:firstName) OR "lastName" = ':firstName'
Then would inject replacements in it, which resulted in this:
SELECT * FROM users WHERE soundex("firstName") = soundex('OR true; DROP TABLE users;') OR "lastName" = ''OR true; DROP TABLE users;''
As you can see this resulted in arbitrary user-provided SQL being executed.
Patches
The issue was fixed in Sequelize 6.19.1
Workarounds
Do not use the replacements and the where option in the same query if you are not using Sequelize >= 6.19.1
References
See this thread for more information: https://github.com/sequelize/sequelize/issues/14519
Snyk: https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-2932027
CVE-2023-22580
Due to improper input filtering in the sequelize js library, can malicious queries lead to sensitive information disclosure.
CVE-2023-22579
Impact
Providing an invalid value to the where option of a query caused Sequelize to ignore that option instead of throwing an error.
A finder call like the following did not throw an error:
User.findAll({
where: new Date(),
});
As this option is typically used with plain javascript objects, be aware that this only happens at the top level of this option.
Patches
This issue has been patched in [email protected] & @sequelize/[email protected]
References
A discussion thread about this issue is open at https://github.com/sequelize/sequelize/discussions/15698
CVE: CVE-2023-22579 Snyk: https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-3324090
CVE-2023-22578
Impact
Sequelize 6.28.2 and prior has a dangerous feature where using parentheses in the attribute option would make Sequelize use the string as-is in the SQL
User.findAll({
attributes: [
['count(id)', 'count']
]
});
Produced
SELECT count(id) AS "count" FROM "users"
Patches
This feature was deprecated in Sequelize 5, and using it prints a deprecation warning.
This issue has been patched in @sequelize/[email protected] and [email protected].
In Sequelize 7, it now produces the following:
SELECT "count(id)" AS "count" FROM "users"
In Sequelize 6, it throws an error explaining that we had to introduce a breaking change, and requires the user to explicitly opt-in to either the Sequelize 7 behavior (always escape) or the Sequelize 5 behavior (inline attributes that include () without escaping). See https://github.com/sequelize/sequelize/pull/15710 for more information.
Mitigations
Do not use user-provided content to build your list or attributes. If you do, make sure that attribute in question actually exists on your model by checking that it exists in the rawAttributes property of your model first.
A discussion thread about this issue is open at https://github.com/sequelize/sequelize/discussions/15694 CVE: CVE-2023-22578
Release Notes
sequelize/sequelize (sequelize)
v6.29.0
Features
v6.28.2
Bug Fixes
v6.28.1
Bug Fixes
- throw if where receives an invalid value (#15699) (d9e0728)
- update moment-timezone version (#15685) (48d6193)
v6.28.0
Features
v6.27.0
Features
v6.26.0
Features
v6.25.8
Bug Fixes
v6.25.7
Bug Fixes
v6.25.6
Bug Fixes
- postgres: invalidate connection after client-side timeout (#15283) (a205765), closes /github.com/brianc/node-postgres/blob/5538df6b446f4b4f921947b460fe38acb897e579/packages/pg/lib/client.js#L529
v6.25.5
Bug Fixes
v6.25.4
Bug Fixes
v6.25.3
Bug Fixes
- don't treat \ as escape in standard strings, support E-strings, support vars after ->> operator, treat lowercase e as valid e-string prefix (#15139) (7990095), closes #14700
v6.25.2
Bug Fixes
v6.25.1
Bug Fixes
v6.25.0
Features
v6.24.0
Features
v6.23.2
Bug Fixes
v6.23.1
Bug Fixes
v6.23.0
Features
v6.22.1
Bug Fixes
v6.22.0
Features
v6.21.6
Bug Fixes
v6.21.5
Bug Fixes
v6.21.4
Bug Fixes
v6.21.3
Bug Fixes
v6.21.2
Bug Fixes
v6.21.1
Bug Fixes
v6.21.0
Features
v6.20.1
Bug Fixes
v6.20.0
Features
v6.19.2
Bug Fixes
v6.19.1
Bug Fixes
⚠️ BREAKING CHANGE: This change is a security fix that patches a serious SQL injection vulnerability, however it is possible that your application made use of it and broke as a result of this change. Please see this issue for more information.
v6.19.0
Bug Fixes
Features
v6.18.0
Features
v6.17.0
Bug Fixes
- fix typo in query-generator.js error message (#14151) (2d339d0)
- postgres: correctly re-acquire connection for pg-native (#14090) (82506a6)
- types: drop excess argument for upsert (#14156) (da8678d)
-
types: export
GroupedCountResultIteminterface (#14154) (a81b7ab) - types: update 'replication' option property (#14126) (7ac1221)
-
types: update return type of
Model.update(#14155) (b80aeed)
Features
- types: infer nullable creation attributes as optional (#14147) (f5c06bd)
-
types: make
Model.getAttributesstricter (#14017) (e974e20)
v6.16.3
Bug Fixes
v6.16.2
Bug Fixes
v6.16.1
Bug Fixes
v6.16.0
Features
v6.15.1
Bug Fixes
-
types: accept
$nested.syntax$in WhereAttributeHash (#13983) (4a513cf) -
types: correct typing definitions for
Sequelize.where(#14018) (99c612b) - types: improve branded types (#13990) (a578ea0)
v6.15.0
Bug Fixes
Features
v6.14.1
Bug Fixes
v6.14.0
Bug Fixes
- don't call overloaded versions of find functions internally (#13951) (fc53cdb)
- don't call overloaded versions of find functions internally (#13951) (b253d8e)
-
model.d: fix type for
countandfindAndCountAll(#13786) (b06c1fc) - types: add hooks to InstanceDestroyOptions type (#13491) (dbd9ea8)
- types: add missing fields to FindOr{Create,Build}Options (#13389) (ef63f8f)
- types: fix QueryInterface#bulkInsert attribute arg type (#13945) (9e108e3)
Features
-
types: add
InferAttributesutility type (#13909) (fd42687) - types: add typings for DataTypes.TSVECTOR (#13940) (b8f0463)
- types: drop TypeScript < 4.1 (#13954) (dd49044)
v6.13.0
Bug Fixes
Features
- mariadb: add mariadb support in Sequelize.set function (#13926) (02bda05), closes #13920
- postgres: drop indices concurrently in Postgres (#13903) (37f20a6)
v6.12.5
Bug Fixes
- dialect: sequelize pool doesn't take effect in dialect "mssql" (#13880) (fc155b6)
- model: fix count with grouping typing (#13884) (49beb29), closes #13871
- types: improve ModelCtor / ModelStatic typing (#13890) (34aa808)
- types: omit FK and scope keys in HasManyCreateAssociationMixin (#13892) (b315ce8)
v6.12.4
Bug Fixes
v6.12.3
Bug Fixes
v6.12.2
Bug Fixes
- abstract: patch jsonb operator for pg if value is json (#13780) (a2375c5)
- operators: fix ts support for operators.ts (#13805) (b532ab1)
- postgres: allows usage of schema for ARRAY(ENUM) type name (#13807) (da5b0ce)
- query-interface: bring back quoteIdentifier(s) to queryInterface (#13810) (001dc60)
v6.12.1
Bug Fixes
- allow deep imports (#13795) (1ecdaf9)
- fix invalid ts import style of lib/operators (#13797) (8acc14f)
v6.12.0
Bug Fixes
- data-types: unnecessary warning when getting data with DATE dataTypes (#13712) (121884b)
- docs: add aws-lamda route (#13693) (3059bce)
- example: fix coordinates format as per GeoJson (#13718) (f9dec20)
- increment: fix key value broken query (#12985) (fc0b19e)
- model.d: fix findAndCountAll.count type (#13736) (b7b472e)
- snowflake: fix to prevent disconnect attempt on already disconnected connection (#13775) (2a9a551)
- types: add Col to where Ops (#13717) (2d7b865)
- types: add instance member declaration (#13684) (ae3cde5)
- types: add missing schema field to sequelize options (c7a0839), closes #12606
- types: allow override json function with custom return type (#13694) (2c3b384)
- upsert: fall back to DO NOTHING if no update key values provided (#13594) (4071378)
- upsert: fall back to DO NOTHING if no update key values provided (#13711) (f9dfaa7), closes #13594
- wrong interface used within mixin (#13685) (bd3ddf5)
Features
- dialects: add experimental support for db2 (#13374) (4443d2a)
- dialect: snowflake dialect support (#13406) (ad68a5e)
- model: complete getAttributes feature (b6510df)
- typescript: create alpha release with ts (911125e)
- types: transition lib/errors (#13710) (8cdce6a)
- upsert: add conflictFields option (#13723) (496bede)
v6.11.0
Features
v6.10.0
Bug Fixes
- typing on creation within an association (#13678) (0312f8e)
- logger: change logging depth from 3 to 1 (#12879) (ddddc24)
- mariadb: fix MariaDB 10.5 JSON (#13633) (cdd61dd)
- model: clone options object instead of modifying (#13589) (3be43de)
- mssql: fix sub query issue occurring with renamed primary key fields (#12801) (73d99ab)
- mssql: sqlserver 2008 fix for using offsets and include criteria (47c4494)
- query: make stacktraces include original calling code (#13347) (f581543)
- types: Add missing type definitions in models (#13553) (73ecf6c)
- types: add specifc tojson type in model.d.ts (#13661) (5924be5)
- types: DataType.TEXT overloading definition (#13654) (1690801)
- types: include 'paranoid' in IncludeThroughOptions definition (#13625) (b1fb1f3)
- types: ne op documentation (#13666) (98485df)
- types: rename types and update CONTRIBUTING docs (#13348) (1f23924)
- expect result is null but got zero (#13637) (da3ac09)
Features
- definitions: Adds AbstractQuery and before/afterQuery hook definitions (#13635) (37a5858)
- postgresql: easier SSL config and options param support (#13673) (9591573)
v6.9.0
Bug Fixes
- docs: using incorrect esdocs syntax (#13615) (c3c690b)
- sqlite: quote table names in sqlite getForeignKeysQuery (#13587) (eeb6a8f)
- upsert: do not overwrite an explcit created_at during upsert (#13593) (594cee8)
Features
v6.8.0
Bug Fixes
-
types: allow any values in
isInvalidator (#12962) (d511d91) - allows insert primary key with zero (#13458) (e4aff2f)
- model: Convert number values only if they aren't null to avoid NaN (199b632)
- model.d: accept [Op.is] in where (broken in TypeScript 4.4) (#13499) (d685a9a)
-
postgres: fix
findCreateFindto work with postgres transactions (#13482) (84421d7) -
select: do not force set
subQuerytofalse(#13490) (0943339) - sqlite: fix wrongly overwriting storage if empty string (#13376) (c3e608b), closes #13375
- types: add missing upsert hooks (#13394) (5e9c209)
- types: extend BulkCreateOptions by SearchPathable (#13469) (47c2d05), closes #13454
- types: typo in model.d.ts (#13574) (31d0fbc)
Features
-
postgres: support
query_timeoutdialect option (#13258) (3ca085d) - typings: add UnknownConstraintError (#13461) (69d899e)
v6.7.0
Bug Fixes
- deps: upgrade to secure versions of dev deps (#13549) (cf53734)
- docs: fix typo in documentation for polymorphic associations (#13405) (bbf3d76)
- types: allow rangable to take a string tuple (#13486) (ca2a11a)
Features
- test: add test for nested column in where query (#13478) (26b62c7), closes #13288
- types: make config type deeply writeable for before connect hook (#13424) (f078f77)
v6.6.5
Bug Fixes
v6.6.4
Bug Fixes
-
typings: make
Transactionablecompatible withTransactionOptions(#13334) (cd2de40) - utils: clone attributes before mutating them (#13226) (1a16b91)
-
data-types: use proper field name for
ARRAY(ENUM)(#13210) (1cfbd33) -
typings: fix
ignoreDuplicatesoption (#13220) (b33d78e) -
typings: allow
schemafor queryInterface methods (#13223) (6b0b532) - typings: restrict update typings (#13216) (63ceb73)
-
typings:
returningcan specify column names (#13215) (143cc84) - typings: model init returns model class, not instance (#13214) (8f2a0d5)
- plurals: bump inflection dependency (#13260) (deeb5c6)
-
bulk-create:
ON CONFLICTwith unique index (#13345) (6dcb565)
v6.6.2
Bug Fixes
v6.6.1
Bug Fixes
-
query-generator: use
ANDin sql fornot/between(#13043) (a663c54) - sqlite: retrieve primary key on upsert (#12991) (023e1d9)
-
types: allow
(keyof TAttributes)[]inUpdateOptions.returning(#13130) (97ba242) - types: models with attributes couldn't be used in some cases (#13010) (de5f21d)
-
types: remove
stringfromOrdertype (#13057) (ac39f8a)
v6.6.0
Bug Fixes
-
types: allow
sequelize.colinattributes(#13105) (3fd64cb) -
types: allow bigints in
WhereValue(#13028) (8892507) -
types: decapitalize
queryGeneratorproperty (#13126) (9cb4d7f) -
types: fix
Model#previoustype (#13106) (466e361) -
types: fix
ValidationErrorItemtypes (#13108) (e35a9bf)
Features
v6.5.1
Bug Fixes
-
mysql: release connection on deadlocks (#13102) (6388507)
- Note: this complements the work done in 6.5.0, fixing another situation not covered by it with MySQL.
-
types: allow transaction to be
null(#13093) (ced4dc7)
v6.5.0
Second release in 2021! :tada:
Bug Fixes
- mysql, mariadb: release connection on deadlocks (#12841) (c77b1f3)
- types: allow changing values on before hooks (#12970) (e5b8929)
- types: typo in sequelize.js and sequelize.d.ts (#12975) (2fe980e)
Features
v6.4.0
Bug Fixes
- types: better support for readonly arrays (287607a)
- types: remove part forgotten in #12175 (2249ded)
Features
v6.3.5
Bug Fixes
- truncate: fix missi
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}
Codecov Report
Merging #119 (5885935) into master (7e6cad0) will not change coverage. The diff coverage is
n/a.
@@ Coverage Diff @@
## master #119 +/- ##
=========================================
Coverage 100.00% 100.00%
=========================================
Files 1 1
Lines 36 36
Branches 6 6
=========================================
Hits 36 36
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}