Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix/ilike-sql-injection #90

Open
maciejopalinski opened this issue Mar 28, 2022 · 3 comments
Open

fix/ilike-sql-injection #90

maciejopalinski opened this issue Mar 28, 2022 · 3 comments
Assignees
@maciejopalinski
Labels
priority: high type: bug type: fix

Comments

@maciejopalinski
Copy link
Member

THIS IS CRITICAL

TypeORM ILike operator is retarded. Our search services are vulnerable to SQL Injection attacks.
@maciejopalinski maciejopalinski self-assigned this Mar 28, 2022
@create-issue-branch
Copy link

Branch issue-90-fix/ilike-sql-injection created!

@maciejopalinski
Copy link
Member Author

I tried to do a proof of concept but didn't succeed. Sqlmap did not find anything... Let's leave this vulnerability to the Russian bots xD

@maciejopalinski
Copy link
Member Author

maciejopalinski commented Mar 28, 2022
edited
Loading

Quotes are escaped, but percent signs '%' are not. It is not a big of a deal, but...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maciejopalinski maciejopalinski

Labels
priority: high type: bug type: fix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@maciejopalinski