[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] JSON-based SQL query construction (Sequelize as an example)
From: Florian Weimer <fweimer () redhat ! com>
Date: 2015-05-20 14:50:18
Message-ID: 555C9F2A.4020207 () redhat ! com
[Download RAW message or body]
We came across an issue which could deserve some wider attention: JSON
injection altering the structure of queries in certain ORM tools.
<https://securityblog.redhat.com/2015/05/20/json-homoiconicity-and-database-access/>
Already in July 2014, Kazuho Oku described a JSON injection issue in the
SQL::Maker Perl package, discovered by his colleague Toshiharu Sugiyama:
<http://blog.kazuhooku.com/2014/07/the-json-sql-injection-vulnerability.html>
Additional SQL frameworks could be affected if they implement such
queries and are used with JSON frameworks which produce dict/hash
objects native to the programming language (so that they are
indistinguishable from query expressions).
--
Florian Weimer / Red Hat Product Security
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic