sequelize.js - Sequelize query builder injection safety - Stack Overflow

admin管理员组

文章数量:1294707

With sequelize query builder, I am doing

findOne({where: {foo: myStringValue}})

Is there a chance of injection if myStringValue is not a string as I expected?

It seems like myStringValue could (somehow) possibly be {someEvilOperator: "someEvilData"} (let's assume an upstream flaw let that evil data leak). However Sequelize seems to use operators whose keys are symbols, so I cannot see how corrupt data could translate to actual Sequelize operators.

Is there a risk here, or is it safe enough?

Is it good practice to wrap all values as String(myStringValue), or is it unnecessary?

本文标签： sequelizejsSequelize query builder injection safetyStack Overflow