CVE-2023-22578

Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections.

Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections.

### Impact Sequelize 6.28.2 and prior has a dangerous feature where using parentheses in the attribute option would make Sequelize use the string as-is in the SQL ```ts User.findAll({ attributes: [ ['count(id)', 'count'] ] }); ``` Produced ```sql SELECT count(id) AS "count" FROM "users" ``` ### Patches This feature was deprecated in Sequelize 5, and using it prints a deprecation warning. This issue has been patched in [`@sequelize/core@7.0.0.alpha-20`](https://github.com/sequelize/sequelize/pull/15374) and [`sequelize@6.29.0`](https://github.com/sequelize/sequelize/pull/15710). In Sequelize 7, it now produces the following: ```sql SELECT "count(id)" AS "count" FROM "users" ``` In Sequelize 6, it throws an error explaining that we had to introduce a breaking change, and requires the user to explicitly opt-in to either the Sequelize 7 behavior (always escape) or the Sequelize 5 behavior (inline attributes that include `()` without escaping). See https://github.com/sequelize/sequelize/pull/15710 for more information. ### Mitigations Do not use user-provided content to build your list or attributes. If you do, make sure that attribute in question actually exists on your model by checking that it exists in the `rawAttributes` property of your model first. --- A discussion thread about this issue is open at https://github.com/sequelize/sequelize/discussions/15694 CVE: CVE-2023-22578

### Impact Sequelize 6.28.2 and prior has a dangerous feature where using parentheses in the attribute option would make Sequelize use the string as-is in the SQL ```ts User.findAll({ attributes: [ ['count(id)', 'count'] ] }); ``` Produced ```sql SELECT count(id) AS "count" FROM "users" ``` ### Patches This feature was deprecated in Sequelize 5, and using it prints a deprecation warning. This issue has been patched in [`@sequelize/core@7.0.0.alpha-20`](https://github.com/sequelize/sequelize/pull/15374) and [`sequelize@6.29.0`](https://github.com/sequelize/sequelize/pull/15710). In Sequelize 7, it now produces the following: ```sql SELECT "count(id)" AS "count" FROM "users" ``` In Sequelize 6, it throws an error explaining that we had to introduce a breaking change, and requires the user to explicitly opt-in to either the Sequelize 7 behavior (always escape) or the Sequelize 5 behavior (inline attributes that include `()` without escaping). See https://github.com/sequelize/sequelize/pull/15710 for more information. ### Mitigations Do not use user-provided content to build your list or attributes. If you do, make sure that attribute in question actually exists on your model by checking that it exists in the `rawAttributes` property of your model first. --- A discussion thread about this issue is open at https://github.com/sequelize/sequelize/discussions/15694 CVE: CVE-2023-22578