In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade knex
to versions 0.6.23
, 0.7.6
or higher.
knex
is a batteries-included SQL query & schema builder for Postgres, MySQL and SQLite3 and the Browser.
Column names are not properly escaped in the postgreSQL dialect. This may allow attackers to craft a query to the host DB and access private information. Writing the following code:
var query = knex.select('id","name').from('test')
console.log(query.toSQL())
Has the following result:
{ method: 'select',
options: undefined,
bindings: [],
sql: 'select "id","name" from "test"' }