Created
February 25, 2016 16:59
-
-
Save TheThing/00be586e2d71e7b9a4b8 to your computer and use it in GitHub Desktop.
knex with potential SQL injection
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* eslint-disable */ | |
| var knex = require('knex') | |
| var config = { | |
| connection: { | |
| host: '127.0.0.1', | |
| }, | |
| pool: { | |
| min: 1, | |
| max: 1, | |
| }, | |
| } | |
| // pg driver This works | |
| config.client = 'pg' | |
| config.connection.user = 'postgres' | |
| config.connection.database = 'test' | |
| // This one doesn't work | |
| config.client = 'mysql' | |
| config.connection.user = 'mysql' | |
| config.connection.database = 'test' | |
| var client = knex(config) | |
| // Create our test table | |
| client.schema.createTable('user_test', function(table) { | |
| table.string('username') | |
| }) | |
| // Insert some data | |
| .then(function() { | |
| return client('user_test') | |
| .insert([{ | |
| username: 'test' | |
| }]) | |
| }) | |
| // Run select where we accidentally leak in an object | |
| .then(function() { | |
| return client('user_test') | |
| .where({ username: { nope: 1 } }) | |
| }) | |
| .then(function(test) { | |
| // We should get here with empty result | |
| console.log(test) | |
| }) | |
| .catch(function(error) { | |
| // Instead we get an error | |
| console.log(error) | |
| /* | |
| { [Error: select * from `user_test` where `username` = '{"nope":1}' - ER_BAD_FIELD_ERROR: Unknown column 'nope' in 'where clause'] | |
| code: 'ER_BAD_FIELD_ERROR', | |
| errno: 1054, | |
| sqlState: '42S22', | |
| index: 0 } | |
| */ | |
| }) | |
| .then(function(){ | |
| return client.schema.dropTable('user_test') | |
| }) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment