Failure to sanitize quotes which can lead to sql injection in squel

All versions of squel are vulnerable to sql injection.

The squel package does not properly escape user provided input when provided using the setFields method. This could lead to sql injection if the query was then executed.

Proof of concept demonstrating the injection of a single quote into a generated sql statement from user provided input.

> console.log(squel.insert().into('buh').setFields({foo: "bar'baz"}).toString());
INSERT INTO buh (foo) VALUES ('bar'baz')

Recommendation

There is no fix at this time and the issue has been reported publicly. Consider using another query builder that provides strong guarantees for input sanitization to prevent sql injection attacks.

References

Reviewed Jun 14, 2019

Published to the GitHub Advisory Database Jun 14, 2019

Last updated Jan 9, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Recommendation

References

Severity

EPSS score

Weaknesses

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE ID

GHSA ID

Source code

Uh oh!