Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 20 May 2015 16:50:18 +0200
From: Florian Weimer <>
Subject: JSON-based SQL query construction (Sequelize as an example)

We came across an issue which could deserve some wider attention: JSON
injection altering the structure of queries in certain ORM tools.


Already in July 2014, Kazuho Oku described a JSON injection issue in the
SQL::Maker Perl package, discovered by his colleague Toshiharu Sugiyama:


Additional SQL frameworks could be affected if they implement such
queries and are used with JSON frameworks which produce dict/hash
objects native to the programming language (so that they are
indistinguishable from query expressions).

Florian Weimer / Red Hat Product Security

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ