This is an example of sql injection which should be detected by SAST tools. A developer who knows how to build an apollo server should be able to quickly identify the issue here but this sort of thing should be caught. In order to prove the injection possibility. I have also patched the @fish-and-richardson-pc/apollo-datasource-msnodesqlv8 package to log the sql just before executing it so you can prove the injection without connecting to a real database. To repro the injection do the following:
- Install Corepack
- Run
yarn - Run
yarn start - Visit http://localhost:4000/
- Click "Query your server"
- Enter the following in the Operations editor
query Books($parameter: String) { books(parameter: $parameter) { title author } }
- Enter the following in the Variables editor
{ "parameter": "''; DROP TABLE Things" } - Click
▶ Books - Look in the console. You should see:
Illustrating a successful sql injection
SELECT Stuff FROM Things WHERE OtherStuff = ''; DROP TABLE Things