Improper input validation on the contains
LoopBack filter may allow for arbitrary SQL injection.
Impact
When the extended filter property contains
is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data stored on the connected database.
This affects users who does any of the following:
- Connect to the database via the DataSource with
allowExtendedProperties: true
setting OR
- Uses the connector's CRUD methods directly OR
- Uses the connector's other methods to interpret the LoopBack filter.
Patches
Patch release [email protected]
has been published of which resolves this issue.
Workarounds
Users who are unable to upgrade should do the following if applicable:
- Remove
allowExtendedProperties: true
DataSource setting
- Add
allowExtendedProperties: false
DataSource setting
- When passing directly to the connector functions, manually sanitize the user input for the
contains
LoopBack filter beforehand.
For more information
If there are additional security issues with the LoopBack project, please report them to [email protected] using the LoopBack Security Team Email PGP key.
Improper input validation on the
contains
LoopBack filter may allow for arbitrary SQL injection.Impact
When the extended filter property
contains
is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data stored on the connected database.This affects users who does any of the following:
allowExtendedProperties: true
setting ORPatches
Patch release
[email protected]
has been published of which resolves this issue.Workarounds
Users who are unable to upgrade should do the following if applicable:
allowExtendedProperties: true
DataSource settingallowExtendedProperties: false
DataSource settingcontains
LoopBack filter beforehand.For more information
If there are additional security issues with the LoopBack project, please report them to [email protected] using the LoopBack Security Team Email PGP key.