9

I'm using Sequelize with PostgreSQL for the first time. It's also my first time using an SQL database in a long time.

I have been researching how to improve the performance and security of some SQL Queries. I came across the sequelize.query() method and started using it for this purpose.

Is this way of making raw queries in Sequelize vulnerable to SQL Injection?

Improve this question
4
  • 1
    Security and performance are two separate questions, it's best if you ask them independently. Commented Sep 25, 2019 at 6:34
  • why are you using sequelize.query anyways? Why not use the model files? Commented Sep 25, 2019 at 6:37
  • If sequelize.query gets the work done and does not have any security or performance loopholes then I will use it. Otherwise will move to querying with ORM. Commented Sep 25, 2019 at 6:39
  • 2
    "or performance loopholes" typically what the ORM will just send the query to the DB engine. There is no "performance" to speak of, as it's the DB engine that is going to run the query. So, if you supply a bad query, it doesn't matter which library you give it to in order to be handed off to the same DB engine. Second, even with a good query typically the larger slowdown comes from the connection to the database - if the roundtrip to the DB itself takes 100ms, then optimising the query from, say, 4ms to 3ms will not save you much time. As I said, performance is a completely separate topic. Commented Sep 25, 2019 at 6:45

3 Answers 3

Reset to default
6

Although you can avoid them, you can also issue queries vulnerable to SQL Injection.

If you use exclusively queries that use Replacements or Bind Parameters for all the user entered values, you should be safe.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

So does that mean, that sequilize performs proper sanitation for Replacements? Because their documentation says almost nothing on such an important topic. They only mention that "Bind parameters are like replacements. Except replacements are escaped... " What do they mean by "escaped" - no information at all. Does that mean that only replacements are safe and bind parameters are not? - no information.
Unfortunately as best as I can tell this is not actually a prepared query, so theres almost certainly going to be worked around by a dedicated enough hacker, simultaneously proving two axions, 1) JS refuses to learn from the mistakes of earlier languages and 2) Most DB library authors dont understand DBs. We all went through this 20 years ago with PHPs refusal to properly implement prepared queries and the serial failures of mysql escape functions to properly sanitize. Whats old is new I guess.
0

Is this vulnerable to SQL injection: The simple answer is "yes". You are using a raw query. If that raw query ever gets input from user input, however indirectly, you open up the possibility of SQL injection. Whether the risk is real or not depends on the rest of your code.

Performance is different. A raw query may be slightly more performant than using the sequalize methods but is MUCH more dependent on database structure and the nature of the query itself. This is a broad topic that can't be answered from the information given.

Improve this answer

2 Comments

Where should I look for more information on this topic?
On which topic? Performance or SQL injection. For SQL injection, checkout OWASP top 10 and read... a lot... You should really be up to speed on everything there. For query performance, you need to understand different database table types, indexes, and spend work optimizing queries. This is a topic worthy of a book, but just reading up on how indexes work and reading some articles on SQL query optimization will do wonders.
0

Sequelize does escape data you pass to the replacements parameter, as shown in the source.

However, there has been at least one SQL injection vulnerability in Sequelize through use of replacements. It's probably wise to further validate user input before passing it to replacements.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.