Typescript Nest Mysql Injection
Description
This detector identifies SQL injection vulnerabilities in TypeScript NestJS applications using MySQL databases. It finds cases where user-controlled data is passed directly to MySQL query methods without proper sanitization, allowing attackers to manipulate SQL queries and potentially access or modify database contents.
Detection Strategy
• File must import both NestJS framework (@nestjs modules) and MySQL database driver (mysql or mysql2 packages)
• Code contains method calls ending with MySQL query methods like .query(), .execute(), .prepare(), etc.
• The method call is made on a valid MySQL connection or database object
• First argument to the MySQL query method contains user-controlled or untrusted data
• The SQL query argument lacks proper sanitization, parameterization, or escaping mechanisms
Vulnerable code example
import { Controller, Get, Query } from '@nestjs/common';
import * as mysql from 'mysql2';
const connection = mysql.createConnection({
host: 'localhost',
user: 'root',
database: 'test'
});...✅ Secure code example
import { Controller, Get, Query } from '@nestjs/common';
import * as mysql from 'mysql2';
const connection = mysql.createConnection({
host: 'localhost',
user: 'root',
database: 'test'
});...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.