Typescript Nest Oracle Sql Injection
Description
This detector identifies SQL injection vulnerabilities in NestJS applications using Oracle Database. It flags Oracle database execution methods (like execute, executeMany) when they receive SQL queries constructed with untrusted user input, which could allow attackers to manipulate database operations.
Detection Strategy
• File must import both '@nestjs' framework and 'oracledb' Oracle database driver modules
• Code contains method calls ending with Oracle execution methods (execute, executeMany, etc.)
• The method call is made on a valid Oracle database connection object
• The first argument to the execution method (SQL query parameter) contains or is derived from unsafe user input
• The SQL argument is determined to be vulnerable through data flow analysis tracking user-controlled data
Vulnerable code example
import oracledb from 'oracledb';
async function getUserById(id: string) {
const connection = await oracledb.getConnection();
// VULNERABLE: string concatenation allows SQL injection
const sql = "SELECT * FROM users WHERE id = " + id;
return connection.execute(sql);
}...✅ Secure code example
import oracledb from 'oracledb';
async function getUserById(id: string) {
const connection = await oracledb.getConnection();
// SAFE: bind variable prevents SQL injection
const sql = "SELECT * FROM users WHERE id = :id";
return connection.execute(sql, { id });
}...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.