logo

Database

Typescript Raw Query With User Input

Description

Detects SQL injection vulnerabilities when user-controlled input is passed unsanitized to Sequelize raw queries in Node.js/Express applications. Raw queries bypass Sequelize's built-in SQL escaping mechanisms, making applications susceptible to SQL injection attacks if user input is not properly sanitized.

Weakness:

146 - SQL injection

Category: Unexpected Injection

Detection Strategy

    Identifies calls to sequelize.query() function in Express applications

    Examines the first argument (SQL query string) to check if it contains or is derived from user-controlled input

    Analyzes the second argument (options object) to verify if proper parameterization or escaping is used

    Reports a vulnerability when user input flows into the SQL query without adequate sanitization or parameterization

Vulnerable code example

import * as Sequelize from 'sequelize';

function login(req: any, res: any): void {
  // VULNERABLE: Direct string concatenation in SQL query allows injection
  Sequelize.sequelize.query(`SELECT * FROM Users WHERE email = '${req.body.email}' AND password = '${req.body.password}'`, {
    model: UserModel,
    plain: true
  })...

✅ Secure code example

import * as Sequelize from 'sequelize';

function login(req: any, res: any): void {
  // SAFE: Using parameterized query with replacements prevents SQL injection
  Sequelize.sequelize.query(
    'SELECT * FROM Users WHERE email = :email AND password = :password',
    {
      replacements: { ...