Typescript Nest Sqlite Injection
Description
This detector identifies SQL injection vulnerabilities in TypeScript NestJS applications that use SQLite databases (better-sqlite3 or node:sqlite modules). It finds cases where user-controlled input is passed directly to SQLite query methods without proper sanitization, allowing attackers to manipulate SQL queries and potentially access or modify database contents.
Detection Strategy
• The code file must import the @nestjs framework (any NestJS module)
• The code must import SQLite database modules (better-sqlite3 or node:sqlite)
• Code contains method calls ending with SQLite sink methods like .exec(), .prepare(), .run(), etc.
• The method call originates from a SQLite database object creation
• The first argument to the SQLite method contains user-controlled input that flows from NestJS request parameters, body, or other untrusted sources without proper sanitization
Vulnerable code example
import { Database as NodeSqliteDB } from 'node:sqlite';
const db = new NodeSqliteDB(':memory:');
// VULNERABLE: String concatenation before prepare()
function getUserById(id: string) {
const stmt = db.prepare("SELECT * FROM users WHERE id = " + id); // SQL injection via concatenation
return stmt.get();...✅ Secure code example
import { Database as NodeSqliteDB } from 'node:sqlite';
const db = new NodeSqliteDB(':memory:');
// SECURE: Parameterized query with placeholder
function getUserById(id: string) {
const stmt = db.prepare("SELECT * FROM users WHERE id = ?"); // Safe: uses parameter placeholder
return stmt.get(id);...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.