fix(deps): update dependency sequelize to v6 [security] #68

renovate · 2023-03-16T06:42:19Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
sequelize (source)	`^4.17.2` -> `^6.29.0`

GitHub Vulnerability Alerts

CVE-2023-25813

Impact

The SQL injection exploit is related to replacements. Here is such an example:

In the following query, some parameters are passed through replacements, and some are passed directly through the where option.

User.findAll({
  where: or(
    literal('soundex("firstName") = soundex(:firstName)'),
    { lastName: lastName },
  ),
  replacements: { firstName },
})

This is a very legitimate use case, but this query was vulnerable to SQL injection due to how Sequelize processed the query: Sequelize built a first query using the where option, then passed it over to sequelize.query which parsed the resulting SQL to inject all :replacements.

If the user passed values such as

{
  "firstName": "OR true; DROP TABLE users;",
  "lastName": ":firstName"
}

Sequelize would first generate this query:

SELECT * FROM users WHERE soundex("firstName") = soundex(:firstName) OR "lastName" = ':firstName'

Then would inject replacements in it, which resulted in this:

SELECT * FROM users WHERE soundex("firstName") = soundex('OR true; DROP TABLE users;') OR "lastName" = ''OR true; DROP TABLE users;''

As you can see this resulted in arbitrary user-provided SQL being executed.

Patches

The issue was fixed in Sequelize 6.19.1

Workarounds

Do not use the replacements and the where option in the same query if you are not using Sequelize >= 6.19.1

References

See this thread for more information: https://github.com/sequelize/sequelize/issues/14519

Snyk: https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-2932027

CVE-2023-22580

Due to improper input filtering in the sequelize js library, can malicious queries lead to sensitive information disclosure.

CVE-2023-22579

Impact

Providing an invalid value to the where option of a query caused Sequelize to ignore that option instead of throwing an error.

A finder call like the following did not throw an error:

User.findAll({
  where: new Date(),
});

As this option is typically used with plain javascript objects, be aware that this only happens at the top level of this option.

Patches

This issue has been patched in sequelize@6.28.1 & @sequelize/core@7.0.0.alpha-20

References

A discussion thread about this issue is open at https://github.com/sequelize/sequelize/discussions/15698

CVE: CVE-2023-22579
Snyk: https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-3324090

CVE-2023-22578

Impact

Sequelize 6.28.2 and prior has a dangerous feature where using parentheses in the attribute option would make Sequelize use the string as-is in the SQL

User.findAll({
  attributes: [
    ['count(id)', 'count']
  ]
});

Produced

SELECT count(id) AS "count" FROM "users"

Patches

This feature was deprecated in Sequelize 5, and using it prints a deprecation warning.

This issue has been patched in @sequelize/core@7.0.0.alpha-20 and sequelize@6.29.0.

In Sequelize 7, it now produces the following:

SELECT "count(id)" AS "count" FROM "users"

In Sequelize 6, it throws an error explaining that we had to introduce a breaking change, and requires the user to explicitly opt-in to either the Sequelize 7 behavior (always escape) or the Sequelize 5 behavior (inline attributes that include () without escaping). See https://github.com/sequelize/sequelize/pull/15710 for more information.

Mitigations

Do not use user-provided content to build your list or attributes. If you do, make sure that attribute in question actually exists on your model by checking that it exists in the rawAttributes property of your model first.

A discussion thread about this issue is open at https://github.com/sequelize/sequelize/discussions/15694
CVE: CVE-2023-22578

Release Notes

sequelize/sequelize (sequelize)

`v6.29.0`

Compare Source

Features

throw an error if attribute includes parentheses (fixes CVE-2023-22578) (#15710) (d3f5b5a)

`v6.28.2`

Compare Source

Bug Fixes

accept undefined in where (#15703) (13f2e89)

`v6.28.1`

Compare Source

Bug Fixes

throw if where receives an invalid value (#15699) (d9e0728)
update moment-timezone version (#15685) (48d6193)

`v6.28.0`

Compare Source

Features

types: use retry-as-promised types for retry options to match documentation (#15484) (fd4afa6)

`v6.27.0`

Compare Source

Features

add support for bigints (backport of #14485) (#15413) (1247c01)

`v6.26.0`

Compare Source

Features

postgres: add support for lock_timeout [#15345] (#15355) (94beace)

`v6.25.8`

Compare Source

Bug Fixes

oracle: remove hardcoded maxRows value (#15323) (7885000)

`v6.25.7`

Compare Source

Bug Fixes

fix parameters not being replaced when after $$ strings (#15307) (bc39fd6)

Bug Fixes

remove options.model overwrite on bulkUpdate (#15252) (67e69cd), closes #15231

`v6.25.4`

Compare Source

Bug Fixes

types: add instance.dataValues property to model.d.ts (#15240) (00c6da3)

`v6.25.3`

Compare Source

Bug Fixes

don't treat \ as escape in standard strings, support E-strings, support vars after ->> operator, treat lowercase e as valid e-string prefix (#15139) (7990095), closes #14700

`v6.25.2`

Compare Source

Bug Fixes

types: fix TS 4.9 excessive depth error on InferAttributes (v6) (#15135) (851daaf)

`v6.25.1`

Compare Source

Bug Fixes

types: expose legacy "types" folder in export alias ( #15123) (9dd93b8)

`v6.25.0`

Compare Source

Features

oracle: add support for dialectOptions.connectString (#15042) (06ad05d)

`v6.24.0`

Compare Source

Features

snowflake: Add support for QueryGenerator#tableExistsQuery (#15087) (a44772e)

`v6.23.2`

Compare Source

Bug Fixes

postgres: add custom order direction to subQuery ordering with minified alias (#15056) (7203b66)

`v6.23.1`

Compare Source

Bug Fixes

oracle: add support for Oracle DB 18c CI (#15016) (5f621d7), closes #1 #7 #9 #13 #14 #16

`v6.23.0`

Compare Source

Features

types: add typescript 4.8 compatibility (#14990) (3468378)

`v6.22.1`

Compare Source

Bug Fixes

types: missing type for oracle dialect in v6 (#14992) (1da6657), closes #14991

`v6.22.0`

Compare Source

Features

oracle: add oracle dialect support (#14638) (c230d80), closes #1 #7 #9 #13 #14 #16

`v6.21.6`

Compare Source

Bug Fixes

types: backport #14704 for v6 (#14964) (33d94b2)

`v6.21.5`

Compare Source

Bug Fixes

mariadb: do not automatically parse JSON fields (#14800) (d047f32)

`v6.21.4`

Compare Source

Bug Fixes

minified aliases are now properly referenced in subqueries (v6) (#14852) (5a257bc), closes #14804

`v6.21.3`

Compare Source

Bug Fixes

postgres: attach postgres error-handler earlier in lifecycle (v6) (#14731) (90bb694)

`v6.21.2`

Compare Source

Bug Fixes

properly escape multiple $ in fn args (#14678) (7bb60e3)

`v6.21.1`

Compare Source

Bug Fixes

postgres: use schema set in sequelize config by default (#14665) (2f3b924)

`v6.21.0`

Compare Source

Features

exports types to support typescript >= 4.5 nodenext module (#14620) (cbdf73e)

`v6.20.1`

Compare Source

Bug Fixes

kill connection on commit/rollback error (#14535) (e1a9c28)

`v6.20.0`

Compare Source

Features

support cyclic foreign keys (#14499) (b37df96)

`v6.19.2`

Compare Source

Bug Fixes

accept replacements in ARRAY[] & followed by ; (#14518) (e37c572)

`v6.19.1`

Compare Source

Bug Fixes

do not replace :replacements inside of strings (#14472) (ccaa399)

⚠️ BREAKING CHANGE: This change is a security fix that patches a serious SQL injection vulnerability, however it is possible that your application made use of it and broke as a result of this change. Please see this issue for more information.

`v6.19.0`

Compare Source

Bug Fixes

types: make WhereOptions more accurate (#14368) (0d0aade)

Features

types: make Model.init aware of pre-configured foreign keys (#14370) (5954d2c)

`v6.18.0`

Compare Source

Features

add whereScopeStrategy to merge where scopes with Op.and (#14152) (8349c02)

`v6.17.0`

Compare Source

Bug Fixes

fix typo in query-generator.js error message (#14151) (2d339d0)
postgres: correctly re-acquire connection for pg-native (#14090) (82506a6)
types: drop excess argument for upsert (#14156) (da8678d)
types: export GroupedCountResultItem interface (#14154) (a81b7ab)
types: update 'replication' option property (#14126) (7ac1221)
types: update return type of Model.update (#14155) (b80aeed)

Features

types: infer nullable creation attributes as optional (#14147) (f5c06bd)
types: make Model.getAttributes stricter (#14017) (e974e20)

`v6.16.3`

Compare Source

Bug Fixes

types: support union in CreationAttributes (#14146) (d23bd7a)

`v6.16.2`

Compare Source

Bug Fixes

types: missing snowflake and db2 dialects (#14137) (0326c2c)

`v6.16.1`

Compare Source

Bug Fixes

correct path to package.json in Sequelize.version (#14073) (b95c213)

`v6.16.0`

Compare Source

Features

gen /lib & /types from /src & drop /dist (v6) (#14063) (6b8fbb4)

`v6.15.1`

Compare Source

Bug Fixes

types: accept $nested.syntax$ in WhereAttributeHash (#13983) (4a513cf)
types: correct typing definitions for Sequelize.where (#14018) (99c612b)
types: improve branded types (#13990) (a578ea0)

`v6.15.0`

Compare Source

Bug Fixes

types: deduplicate error typings (#14002) (fc28629)

Features

add options.rawErrors to Sequelize#query method (#13881) (7c58851)

`v6.14.1`

Compare Source

Bug Fixes

rollback PR #13951 in v6 (#14004) (1882f3c)

`v6.14.0`

Compare Source

Bug Fixes

don't call overloaded versions of find functions internally (#13951) (fc53cdb)
don't call overloaded versions of find functions internally (#13951) (b253d8e)
model.d: fix type for count and findAndCountAll (#13786) (b06c1fc)
types: add hooks to InstanceDestroyOptions type (#13491) (dbd9ea8)
types: add missing fields to FindOr{Create,Build}Options (#13389) (ef63f8f)
types: fix QueryInterface#bulkInsert attribute arg type (#13945) (9e108e3)

Features

types: add InferAttributes utility type (#13909) (fd42687)
types: add typings for DataTypes.TSVECTOR (#13940) (b8f0463)
types: drop TypeScript < 4.1 (#13954) (dd49044)

`v6.13.0`

Compare Source

Bug Fixes

fix typings for queries with {plain: true} option (#13899) (308d017)

Features

mariadb: add mariadb support in Sequelize.set function (#13926) (02bda05), closes #13920
postgres: drop indices concurrently in Postgres (#13903) (37f20a6)

`v6.12.5`

Compare Source

Bug Fixes

dialect: sequelize pool doesn't take effect in dialect "mssql" (#13880) (fc155b6)
model: fix count with grouping typing (#13884) (49beb29), closes #13871
types: improve ModelCtor / ModelStatic typing (#13890) (34aa808)
types: omit FK and scope keys in HasManyCreateAssociationMixin (#13892) (b315ce8)

`v6.12.4`

Compare Source

Bug Fixes

mssql/async-queue: fix unable to start mysql due to circular ref (#13823) (49e8614)

`v6.12.3`

Compare Source

Bug Fixes

data-types: moment object throwing error (#13818) (78c7414)

`v6.12.2`

Compare Source

Bug Fixes

abstract: patch jsonb operator for pg if value is json (#13780) (a2375c5)
operators: fix ts support for operators.ts (#13805) (b532ab1)
postgres: allows usage of schema for ARRAY(ENUM) type name (#13807) (da5b0ce)
query-interface: bring back quoteIdentifier(s) to queryInterface (#13810) (001dc60)

`v6.12.1`

Compare Source

Bug Fixes

allow deep imports (#13795) (1ecdaf9)
fix invalid ts import style of lib/operators (#13797) (8acc14f)

`v6.12.0`

Compare Source

Bug Fixes

data-types: unnecessary warning when getting data with DATE dataTypes (#13712) (121884b)
docs: add aws-lamda route (#13693) (3059bce)
example: fix coordinates format as per GeoJson (#13718) (f9dec20)
increment: fix key value broken query (#12985) (fc0b19e)
model.d: fix findAndCountAll.count type (#13736) (b7b472e)
snowflake: fix to prevent disconnect attempt on already disconnected connection (#13775) (2a9a551)
types: add Col to where Ops (#13717) (2d7b865)
types: add instance member declaration (#13684) (ae3cde5)
types: add missing schema field to sequelize options (c7a0839), closes #12606
types: allow override json function with custom return type (#13694) (2c3b384)
upsert: fall back to DO NOTHING if no update key values provided (#13594) (4071378)
upsert: fall back to DO NOTHING if no update key values provided (#13711) (f9dfaa7), closes #13594
wrong interface used within mixin (#13685) (bd3ddf5)

Features

dialects: add experimental support for db2 (#13374) (4443d2a)
dialect: snowflake dialect support (#13406) (ad68a5e)
model: complete getAttributes feature (b6510df)
typescript: create alpha release with ts (911125e)
types: transition lib/errors (#13710) (8cdce6a)
upsert: add conflictFields option (#13723) (496bede)

`v6.11.0`

Compare Source

Features

option for attributes having dotNotation (#13670) (41876f1)

`v6.10.0`

Compare Source

Bug Fixes

typing on creation within an association (#13678) (0312f8e)
logger: change logging depth from 3 to 1 (#12879) (ddddc24)
mariadb: fix MariaDB 10.5 JSON (#13633) (cdd61dd)
model: clone options object instead of modifying (#13589) (3be43de)
mssql: fix sub query issue occurring with renamed primary key fields (#12801) (73d99ab)
mssql: sqlserver 2008 fix for using offsets and include criteria (47c4494)
query: make stacktraces include original calling code (#13347) (f581543)
types: Add missing type definitions in models (#13553) (73ecf6c)
types: add specifc tojson type in model.d.ts (#13661) (5924be5)
types: DataType.TEXT overloading definition (#13654) (1690801)
types: include 'paranoid' in IncludeThroughOptions definition (#13625) (b1fb1f3)
types: ne op documentation (#13666) (98485df)
types: rename types and update CONTRIBUTING docs (#13348) (1f23924)
expect result is null but got zero (#13637) (da3ac09)

Features

definitions: Adds AbstractQuery and before/afterQuery hook definitions (#13635) (37a5858)
postgresql: easier SSL config and options param support (#13673) (9591573)

`v6.9.0`

Compare Source

Bug Fixes

docs: using incorrect esdocs syntax (#13615) (c3c690b)
sqlite: quote table names in sqlite getForeignKeysQuery (#13587) (eeb6a8f)
upsert: do not overwrite an explcit created_at during upsert (#13593) (594cee8)

Features

mysql: add support for MySQL v8 (#13618) (35978f0)

`v6.8.0`

Compare Source

Bug Fixes

types: allow any values in isIn validator (#12962) (d511d91)
allows insert primary key with zero (#13458) (e4aff2f)
model: Convert number values only if they aren't null to avoid NaN (199b632)
model.d: accept [Op.is] in where (broken in TypeScript 4.4) (#13499) (d685a9a)
postgres: fix findCreateFind to work with postgres transactions (#13482) (84421d7)
select: do not force set subQuery to false (#13490) (0943339)
sqlite: fix wrongly overwriting storage if empty string (#13376) (c3e608b), closes #13375
types: add missing upsert hooks (#13394) (5e9c209)
types: extend BulkCreateOptions by SearchPathable (#13469) (47c2d05), closes #13454
types: typo in model.d.ts (#13574) (31d0fbc)

Features

postgres: support query_timeout dialect option (#13258) (3ca085d)
typings: add UnknownConstraintError (#13461) (69d899e)

`v6.7.0`

Compare Source

Bug Fixes

deps: upgrade to secure versions of dev deps (#13549) (cf53734)
docs: fix typo in documentation for polymorphic associations (#13405) (bbf3d76)
types: allow rangable to take a string tuple (#13486) (ca2a11a)

Features

test: add test for nested column in where query (#13478) (26b62c7), closes #13288
types: make config type deeply writeable for before connect hook (#13424) (f078f77)

`v6.6.5`

Compare Source

Bug Fixes

dependency: upgrade validator (#13350) (56bb1d6)

`v6.6.4`

Compare Source

Bug Fixes

typings: make Transactionable compatible with TransactionOptions (#13334) (cd2de40)
utils: clone attributes before mutating them (#13226) (1a16b91)
data-types: use proper field name for ARRAY(ENUM) (#13210) (1cfbd33)
typings: fix ignoreDuplicates option (#13220) (b33d78e)
typings: allow schema for queryInterface methods (#13223) (6b0b532)
typings: restrict update typings (#13216) (63ceb73)
typings: returning can specify column names (#13215) (143cc84)
typings: model init returns model class, not instance (#13214) (8f2a0d5)
plurals: bump inflection dependency (#13260) (deeb5c6)
bulk-create: ON CONFLICT with unique index (#13345) (6dcb565)

`v6.6.2`

Compare Source

Bug Fixes

types: fix Model.prototype.previous() (#13042) (5b16b32)

`v6.6.1`

Compare Source

Bug Fixes

query-generator: use AND in sql for not/between (#13043) (a663c54)
sqlite: retrieve primary key on upsert (#12991) (023e1d9)
types: allow (keyof TAttributes)[] in UpdateOptions.returning (#13130) (97ba242)
types: models with attributes couldn't be used in some cases (#13010) (de5f21d)
types: remove string from Order type (#13057) (ac39f8a)

`v6.6.0`

Compare Source

Bug Fixes

types: allow sequelize.col in attributes (#13105) (3fd64cb)
types: allow bigints in WhereValue (#13028) (8892507)
types: decapitalize queryGenerator property (#13126) (9cb4d7f)
types: fix Model#previous type (#13106) (466e361)
types: fix ValidationErrorItem types (#13108) (e35a9bf)

Features

add-constraint: add deferrable option (#13096) (f98bd7e)

`v6.5.1`

Compare Source

Bug Fixes

mysql: release connection on deadlocks (#13102) (6388507)
- Note: this complements the work done in 6.5.0, fixing another situation not covered by it with MySQL.
types: allow transaction to be null (#13093) (ced4dc7)

`v6.5.0`

[Compare Source](https://redirect.github.com/sequelize/sequelize/compare/v6.4.0..

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot force-pushed the renovate/npm-sequelize-vulnerability branch from 9e13b25 to 968253d Compare March 25, 2023 03:07

renovate bot force-pushed the renovate/npm-sequelize-vulnerability branch 2 times, most recently from 7034d40 to fb80aa3 Compare April 3, 2023 11:37

renovate bot force-pushed the renovate/npm-sequelize-vulnerability branch 2 times, most recently from dc0cfde to f718004 Compare April 17, 2023 16:17

renovate bot force-pushed the renovate/npm-sequelize-vulnerability branch 3 times, most recently from 5d6aea5 to 1fe5267 Compare June 4, 2023 08:16

renovate bot force-pushed the renovate/npm-sequelize-vulnerability branch from 1fe5267 to c90c9f4 Compare June 4, 2023 15:26

renovate bot force-pushed the renovate/npm-sequelize-vulnerability branch 6 times, most recently from d7c4026 to 054825f Compare June 19, 2023 11:34

renovate bot force-pushed the renovate/npm-sequelize-vulnerability branch 2 times, most recently from 1dabf76 to 632a5eb Compare June 29, 2023 13:40

renovate bot force-pushed the renovate/npm-sequelize-vulnerability branch 4 times, most recently from d501fbd to 1213393 Compare July 9, 2023 12:21

renovate bot force-pushed the renovate/npm-sequelize-vulnerability branch 4 times, most recently from 90d1c15 to bc0a5e3 Compare July 19, 2023 17:33

renovate bot force-pushed the renovate/npm-sequelize-vulnerability branch 4 times, most recently from 0b0585d to 67d6549 Compare August 1, 2023 18:13

renovate bot force-pushed the renovate/npm-sequelize-vulnerability branch from 67d6549 to 7493f82 Compare August 9, 2023 14:56

renovate bot force-pushed the renovate/npm-sequelize-vulnerability branch from 7f59261 to 808b0b3 Compare March 24, 2024 16:20

renovate bot force-pushed the renovate/npm-sequelize-vulnerability branch 2 times, most recently from 4a0c6bb to fc4bc22 Compare April 14, 2024 10:58

renovate bot force-pushed the renovate/npm-sequelize-vulnerability branch 4 times, most recently from e7b1670 to 0f60c49 Compare April 25, 2024 13:15

renovate bot force-pushed the renovate/npm-sequelize-vulnerability branch 4 times, most recently from 178d3dd to efc3e14 Compare May 9, 2024 13:45

renovate bot force-pushed the renovate/npm-sequelize-vulnerability branch 2 times, most recently from d03d838 to 786a032 Compare May 16, 2024 02:41

renovate bot force-pushed the renovate/npm-sequelize-vulnerability branch 2 times, most recently from 6f69416 to b0b0ea8 Compare June 4, 2024 16:49

renovate bot force-pushed the renovate/npm-sequelize-vulnerability branch 2 times, most recently from 77e05d8 to 464f74b Compare June 27, 2024 09:22

renovate bot force-pushed the renovate/npm-sequelize-vulnerability branch 4 times, most recently from 64988b0 to 7afeca4 Compare July 14, 2024 13:37

renovate bot force-pushed the renovate/npm-sequelize-vulnerability branch 2 times, most recently from 03f77f1 to e739a9c Compare July 21, 2024 17:39

renovate bot force-pushed the renovate/npm-sequelize-vulnerability branch 2 times, most recently from c4db120 to 1695be5 Compare July 28, 2024 16:03

renovate bot force-pushed the renovate/npm-sequelize-vulnerability branch 2 times, most recently from 5b11b08 to f46339b Compare October 9, 2024 14:10

renovate bot force-pushed the renovate/npm-sequelize-vulnerability branch from f46339b to 7ec4aa5 Compare October 28, 2024 14:36

fix(deps): update dependency sequelize to v6 [security]

75a71af

renovate bot force-pushed the renovate/npm-sequelize-vulnerability branch from 7ec4aa5 to 75a71af Compare October 28, 2024 17:04

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(deps): update dependency sequelize to v6 [security] #68

fix(deps): update dependency sequelize to v6 [security] #68

renovate bot commented Mar 16, 2023 •

edited

Loading

fix(deps): update dependency sequelize to v6 [security] #68

Are you sure you want to change the base?

fix(deps): update dependency sequelize to v6 [security] #68

Conversation

renovate bot commented Mar 16, 2023 • edited Loading

GitHub Vulnerability Alerts

Impact

Patches

Workarounds

References

Impact

Patches

References

Impact

Patches

Mitigations

Release Notes

Features

Bug Fixes

Bug Fixes

Features

Features

Features

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Features

Features

Bug Fixes

Bug Fixes

Features

Bug Fixes

Features

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Features

Bug Fixes

Features

Bug Fixes

Bug Fixes

Bug Fixes

Features

Features

Bug Fixes

Features

Bug Fixes

Bug Fixes

Bug Fixes

Features

Bug Fixes

Bug Fixes

Features

Bug Fixes

Bug Fixes

Features

Bug Fixes

Features

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Features

Features

Bug Fixes

Features

Bug Fixes

Features

Bug Fixes

Features

renovate bot commented Mar 16, 2023 •

edited

Loading