sequelize: SQL Injection/Syntax error inserting GeoJSON documents with single quotes

What you are doing?

Inserting inserting GeoJSON documents with single quotes in an attribute.

What do you expect to happen?

No errors.

What is actually happening?

Errors.

Executing (default): INSERT INTO "boundaries" ("id","name","type","geo","createdAt","updatedAt") VALUES ('0138248','Jacksons'' Gap','place',ST_GeomFromGeoJSON('{"type":"MultiPolygon","properties":{"NAME":"Jacksons' Gap","NAMELSAD":"Jacksons' Gap town","coordinates":[]}'),'2016-06-30 20:45:23.143 +00:00','2016-06-30 20:45:23.143 +00:00') RETURNING *;

SequelizeDatabaseError: syntax error at or near "Gap"

Seems like the GeoJSON string is not being escaped at all, so having a single quote in any property in the GeoJSON is causing a syntax error

Dialect: postgres Database version: 9.5.3 Sequelize version: 3.23.4

About this issue

  • Original URL
  • State: closed
  • Created 8 years ago
  • Reactions: 4
  • Comments: 16 (13 by maintainers)

Most upvoted comments

Now both MySQL and Postgres SQL Injection cases has been fixed. Everyone is advised to upgrade to v3.23.6

@contra You need to edit the NSP advisory with patch version v3.23.6

More details https://github.com/sequelize/sequelize/pull/6302 and https://github.com/sequelize/sequelize/pull/6305

+3
sushantdhiman on Jul 19, 2016

FWIW, you can set up an nsp exception for this by adding an .nsprc file with something like the following:

{
  "exceptions": [
    "https://nodesecurity.io/advisories/122" // SQL Injection via GeoJSON
  ]
}
+3
pdehaan on Jul 18, 2016

Just to be more clear: This is a pretty major security issue. Anyone who accepts user data with geojson types is vulnerable to a SQL injection on the insert.

+3
yocontra on Jul 18, 2016
Read more comments on GitHub
← sequelize: Show indexes query on Postgres fails to return functional indexes
sequelize: Sqlite remove/change/rename column don't pass foreign key references along in the new table →