Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update dependency sequelize to v6 [security] #403

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Feb 23, 2023

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
sequelize (source) 5.22.5 -> 6.29.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-22580

Due to improper input filtering in the sequelize js library, can malicious queries lead to sensitive information disclosure.

CVE-2023-25813

Impact

The SQL injection exploit is related to replacements. Here is such an example:

In the following query, some parameters are passed through replacements, and some are passed directly through the where option.

User.findAll({
  where: or(
    literal('soundex("firstName") = soundex(:firstName)'),
    { lastName: lastName },
  ),
  replacements: { firstName },
})

This is a very legitimate use case, but this query was vulnerable to SQL injection due to how Sequelize processed the query: Sequelize built a first query using the where option, then passed it over to sequelize.query which parsed the resulting SQL to inject all :replacements.

If the user passed values such as

{
  "firstName": "OR true; DROP TABLE users;",
  "lastName": ":firstName"
}

Sequelize would first generate this query:

SELECT * FROM users WHERE soundex("firstName") = soundex(:firstName) OR "lastName" = ':firstName'

Then would inject replacements in it, which resulted in this:

SELECT * FROM users WHERE soundex("firstName") = soundex('OR true; DROP TABLE users;') OR "lastName" = ''OR true; DROP TABLE users;''

As you can see this resulted in arbitrary user-provided SQL being executed.

Patches

The issue was fixed in Sequelize 6.19.1

Workarounds

Do not use the replacements and the where option in the same query if you are not using Sequelize >= 6.19.1

References

See this thread for more information: https://github.com/sequelize/sequelize/issues/14519

Snyk: https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-2932027

CVE-2023-22579

Impact

Providing an invalid value to the where option of a query caused Sequelize to ignore that option instead of throwing an error.

A finder call like the following did not throw an error:

User.findAll({
  where: new Date(),
});

As this option is typically used with plain javascript objects, be aware that this only happens at the top level of this option.

Patches

This issue has been patched in [email protected] & @sequelize/[email protected]

References

A discussion thread about this issue is open at https://github.com/sequelize/sequelize/discussions/15698

CVE: CVE-2023-22579
Snyk: https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-3324090

CVE-2023-22578

Impact

Sequelize 6.28.2 and prior has a dangerous feature where using parentheses in the attribute option would make Sequelize use the string as-is in the SQL

User.findAll({
  attributes: [
    ['count(id)', 'count']
  ]
});

Produced

SELECT count(id) AS "count" FROM "users"

Patches

This feature was deprecated in Sequelize 5, and using it prints a deprecation warning.

This issue has been patched in @sequelize/[email protected] and [email protected].

In Sequelize 7, it now produces the following:

SELECT "count(id)" AS "count" FROM "users"

In Sequelize 6, it throws an error explaining that we had to introduce a breaking change, and requires the user to explicitly opt-in to either the Sequelize 7 behavior (always escape) or the Sequelize 5 behavior (inline attributes that include () without escaping). See https://github.com/sequelize/sequelize/pull/15710 for more information.

Mitigations

Do not use user-provided content to build your list or attributes. If you do, make sure that attribute in question actually exists on your model by checking that it exists in the rawAttributes property of your model first.


A discussion thread about this issue is open at https://github.com/sequelize/sequelize/discussions/15694
CVE: CVE-2023-22578


Release Notes

sequelize/sequelize (sequelize)

v6.29.0

Compare Source

Features

v6.28.2

Compare Source

Bug Fixes

v6.28.1

Compare Source

Bug Fixes

v6.28.0

Compare Source

Features
  • types: use retry-as-promised types for retry options to match documentation (#​15484) (fd4afa6)

v6.27.0

Compare Source

Features

v6.26.0

Compare Source

Features

v6.25.8

Compare Source

Bug Fixes

v6.25.7

Compare Source

Bug Fixes

v6.25.6

Compare Source

Bug Fixes

v6.25.5

Compare Source

Bug Fixes

v6.25.4

Compare Source

Bug Fixes

v6.25.3

Compare Source

Bug Fixes
  • don't treat \ as escape in standard strings, support E-strings, support vars after ->> operator, treat lowercase e as valid e-string prefix (#​15139) (7990095), closes #​14700

v6.25.2

Compare Source

Bug Fixes
  • types: fix TS 4.9 excessive depth error on InferAttributes (v6) (#​15135) (851daaf)

v6.25.1

Compare Source

Bug Fixes

v6.25.0

Compare Source

Features

v6.24.0

Compare Source

Features
  • snowflake: Add support for QueryGenerator#tableExistsQuery (#​15087) (a44772e)

v6.23.2

Compare Source

Bug Fixes
  • postgres: add custom order direction to subQuery ordering with minified alias (#​15056) (7203b66)

v6.23.1

Compare Source

Bug Fixes

v6.23.0

Compare Source

Features

v6.22.1

Compare Source

Bug Fixes

v6.22.0

Compare Source

Features

v6.21.6

Compare Source

Bug Fixes

v6.21.5

Compare Source

Bug Fixes

v6.21.4

Compare Source

Bug Fixes

v6.21.3

Compare Source

Bug Fixes
  • postgres: attach postgres error-handler earlier in lifecycle (v6) (#​14731) (90bb694)

v6.21.2

Compare Source

Bug Fixes

v6.21.1

Compare Source

Bug Fixes

v6.21.0

Compare Source

Features
  • exports types to support typescript >= 4.5 nodenext module (#​14620) (cbdf73e)

v6.20.1

Compare Source

Bug Fixes

v6.20.0

Compare Source

Features

v6.19.2

Compare Source

Bug Fixes

v6.19.1

Compare Source

Bug Fixes

⚠️ BREAKING CHANGE: This change is a security fix that patches a serious SQL injection vulnerability, however it is possible that your application made use of it and broke as a result of this change. Please see this issue for more information.

v6.19.0

Compare Source

Bug Fixes
Features
  • types: make Model.init aware of pre-configured foreign keys (#​14370) (5954d2c)

v6.18.0

Compare Source

Features
  • add whereScopeStrategy to merge where scopes with Op.and (#​14152) (8349c02)

v6.17.0

Compare Source

Bug Fixes
Features

v6.16.3

Compare Source

Bug Fixes

v6.16.2

Compare Source

Bug Fixes

v6.16.1

Compare Source

Bug Fixes

v6.16.0

Compare Source

Features

v6.15.1

Compare Source

Bug Fixes

v6.15.0

Compare Source

Bug Fixes
Features

v6.14.1

Compare Source

Bug Fixes

v6.14.0

Compare Source

Bug Fixes
Features

v6.13.0

Compare Source

Bug Fixes
Features

v6.12.5

Compare Source

Bug Fixes

v6.12.4

Compare Source

Bug Fixes
  • mssql/async-queue: fix unable to start mysql due to circular ref (#​13823) (49e8614)

v6.12.3

Compare Source

Bug Fixes

v6.12.2

Compare Source

Bug Fixes

v6.12.1

Compare Source

Bug Fixes

v6.12.0

Compare Source

Bug Fixes
Features

v6.11.0

Compare Source

Features

v6.10.0

Compare Source

Bug Fixes
Features
  • definitions: Adds AbstractQuery and before/afterQuery hook definitions (#​13635) (37a5858)
  • postgresql: easier SSL config and options param support (#​13673) (9591573)

v6.9.0

Compare Source

Bug Fixes
Features

v6.8.0

Compare Source

Bug Fixes
Features

v6.7.0

Compare Source

Bug Fixes
Features

v6.6.5

Compare Source

Bug Fixes

v6.6.4

Compare Source

Bug Fixes

v6.6.2

Compare Source

Bug Fixes

v6.6.1

Compare Source

Bug Fixes

v6.6.0

Compare Source

Bug Fixes
Features

v6.5.1

Compare Source

Bug Fixes
  • mysql: release connection on deadlocks (#​13102) (6388507)
    • Note: this complements the work done in 6.5.0, fixing another situation not covered by it with MySQL.
  • types: allow transaction to be null (#​13093) (ced4dc7)

v6.5.0

[Compare Source](https://redirect.github.com/sequelize/sequel


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/npm-sequelize-vulnerability branch from d8e9b50 to 62d4232 Compare February 25, 2023 01:20
@renovate renovate bot force-pushed the renovate/npm-sequelize-vulnerability branch from 62d4232 to 3047f2c Compare July 8, 2023 22:28
@renovate renovate bot force-pushed the renovate/npm-sequelize-vulnerability branch from 3047f2c to 07a7bc4 Compare February 3, 2024 16:40
@renovate renovate bot force-pushed the renovate/npm-sequelize-vulnerability branch from 07a7bc4 to 690105b Compare June 2, 2024 01:38
@renovate renovate bot force-pushed the renovate/npm-sequelize-vulnerability branch from 690105b to 9f4e16c Compare June 2, 2024 04:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants